This page provides the following guidelines for creating strong passwords and defining password renewal and expiration standards throughout your organization:

Password criteria options
Duration
Prior passwords used
Maximum number of failed attempts
Expiration warnings

Password criteria options

There are various criteria options for determining the complexity of users' passwords. Below are some example sets of password complexity rules that you might apply:

Example 1:

- At least one number
- At least one letter
- At least one lowercase letter

Example 2:

- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 digit (digit is 0 to 9)

Example 3:

- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 digit (digit is 0 to 9)
- Minimum length of 7 characters
- Maximum length of 12 characters

Example 4:

- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 digit (digit is 0 to 9)
- At least 1 of any of the following symbols: [!"#$%&'()*+,\-./:;<=>?@^_`{|}~]
- Minimum length of 7 characters
- Maximum length of 15 characters

Password must not:

Be based on well known information, easily accessible information, or personally identifiable information (for example, MyD0gMax, 234marketst).
Be a dictionary word or a combination of a dictionary word and characters (for example, umbrella, t0fu, password123).
Contain a space.

Duration

Duration refers to how often users must change their passwords. For example, you might decide that users have to change their passwords every 90 days.

Prior passwords used

Prior passwords used is the number of most recently used passwords that cannot be reused when changing a password. For example, if you set this limit to 3, users cannot not use their last three passwords when changing their passwords.

Maximum number of failed attempts

The maximum number of failed attempts is the maximum number of times that an incorrect password can be entered before the user is locked out of the application. For example, if you set this limit to 5 and a user enters the incorrect password 5 times, the user will be locked out of the application.

To ensure security, you must set a limit for the number of attempts. Too few allowed attempts, and users risk getting locked out if they make a data-entry mistake. Too many (or unlimited) allowed attempts, and users' accounts are not secure and open to brute-force attacks.

Expiration warnings

Expiration warnings refer to the number of days the users will be notified before their passwords expire. For example, you might decide that users receive a warning 5 days before their passwords expire.

You should always provide a warning/reminder to users. Ideally, this message should not appear so far in advance that users forget about it, but also not immediately before they must change it.

Browser not supported