Contents
Password policy
Updated by Katy Harrison
As the admin of an organisation, you're responsible for setting the password policy for users in your organisation. Setting the password policy can be complicated and confusing, and this article provides recommendations to make your organisation more secure against password attacks.
Recommended settings
The password policy for newly created organisations will have the recommended settings as below. Password policies can be adjusted by users with Customer admin permissions to include requiring numbers, mixed case and special characters in order to adhere to internal policies.
Click on each option to see more detail.
Minimum length: 14
To encourage users to think about a unique password, we require a 14-character minimum length requirement. Encourage your users to use a randomly generated password, stored in a password manager. If they can't use a password generator and manager, they should use the 'three random words' method to come up with a stronger password.
Minimum lowercase: 0
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.
Minimum uppercase: 0
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.
Minimum numbers: 0
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.
Minimum special characters: 0
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.
Password expiry: 0
Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.
Password repetition restriction: 10
What happens when you change the password policy
Any changes made to the Organisation (including password policy, but also name changes for example), will require the minimum length and repetition restrictions to be set to at least the values above.
If the password policy is updated, users only need to update their password at the end of the password expiry period if set. If you want all users to update their passwords to adhere to the new policy, you can use the bulk edit functionality to force password reset on next login.
Password advice for your organisation
We've put together the top tips for keeping accounts secure that your users can implement. You can share this article with your organisation for further advice on keeping their account safe -