Create a self-service password reset policy for your org
Creating a self-service password reset policy for your org allows all users to reset their passwords. You cannot create a self-service password reset policy for your org if the group password policy feature is enabled.
- In the Admin Console, go to Security > Authentication.
- Click Add New Password Policy.
- Complete these fields:
- Policy name: Enter a name for the policy.
- Policy description: Enter a description for the policy.
- Add group: Enter a group name and then select the group to which the policy should apply.
- In the Authentication Providers area, select the source for user authentication in the Applies to list.
- Complete these fields in the Password Settings area:
- Minimum length: Specify a minimum password length of 4 to 30 characters (the default is eight characters).
- Complexity requirements: Select one or more of these password complexity options:
- Lower case letter: Select this option to make the inclusion of a lower case letter in the password mandatory.
- Upper case letter: Select this option to make the inclusion of an upper case letter in the password mandatory.
- Number (0-9): Select this option to make the inclusion of a number from 0 to 9 in the password mandatory.
- Symbol (e.g., !@#$%^&*): Select this option to make the inclusion of a symbol in the password mandatory.
- Does not contain part of username: Select this option to exclude a part of the user name from the password requirements.
- Does not contain first name: Select this option to exclude the first name of the user from the password requirements.
- Does not contain last name: Select this option to exclude the last name of the user from the password requirements
- Common password check: Optional. Select Restrict use of common passwords to check password strength orif the password is in common use.
- Password age: Select one or more of these password complexity options:
- Enforce password history for last password: Select this option to define the number of passwords that must be different before a password can be reused. You can enter 1 to 24 passwords.
- Minimum password age is: Enter the number of hours or days that a password can be used before it must be changed. The valid range is 1 to 999.
- Password expires after days: Enter the number of days a password remains valid. The valid range is 1 to 999.
- Prompt user days before password expires: Enter the number of days a user is notified before their password expires.
- Lock out: Select one or more of these password lock out options:
- Lock out user after unsuccessful attempts: Enter the number of attempts a user is allowed to successfully enter their password before their account is locked. The valid range is 1 to 100.
- Account is automatically unlocked after minutes: Enter the number of minutes that a user must wait before their account is automatically unlocked. The minimum value is one minute.
- Show lock out failures: Select this option to display the number of lock out failures.
Send lockout email to user: Select this option to notify users by email that their account is locked.
- Complete these fields in the Account Recovery area:
- Self-service recovery options: Select one or more of these options:
- SMS: Select this option to let users reset their password using SMS.
- Voice Call: Select this option to let users reset their password using a voice call.
- Email: Select this option to let users reset their password using an email.
Reset/Unlock recovery emails are valid for: Enter the number minutes, hours, or days that a password reset email remains valid.
- Password recovery question complexity: Enter the minimum number of characters that security answers must contain.
- Self-service recovery options: Select one or more of these options:
- In the Add Rule dialog, complete these fields:
- Rule Name: Enter a name for the rule.
- Exclude Users: Optional. Enter the names of users that you want to exclude from the rule.
- IF User's IP is: Select one of these options:
- Anywhere: Select this option to apply the rule to all users regardless of whether or not their IP address is listed in the Public Gateway IPs list.
- In zone: Select this option to apply the rule to all users in a zone. Select All Zones to apply the rule to users in all zones, or enter a specific IP address.
- Not in zone: Select this option to apply the rule to users outside a zone. Select All Zones to apply the rule to users outside all zones, or enter a specific IP address.
- THEN User can: Select one of these user actions for the rule:
- change password: Select this option to let users change their password.
- perform self-service password reset: Select this option to let users reset their password. change password must be selected to enable this option.
- perform self-service account unlock: Optional. Select this option to let users unlock their account.
- Click Create Rule.