Create a self-service password reset policy for your org

Creating a self-service password reset policy for your org allows all users to reset their passwords. You cannot create a self-service password reset policy for your org if the group password policy feature is enabled.

  1. In the Admin Console, go to Security > Authentication.
  2. Click Add New Password Policy.
  3. Complete these fields:
    • Policy name: Enter a name for the policy.
    • Policy description: Enter a description for the policy.
    • Add group: Enter a group name and then select the group to which the policy should apply.
  1. In the Authentication Providers area, select the source for user authentication in the Applies to list.
  2. Complete these fields in the Password Settings area:
    • Minimum length — Specify a minimum password length of 4 to 30 characters (the default is eight characters).
    • Complexity requirements — Select one or more of these password complexity options:
      • Lower case letter — Select this option to make the inclusion of a lower case letter in the password mandatory.
      • Upper case letter — Select this option to make the inclusion of an upper case letter in the password mandatory.
      • Number (0-9) — Select this option to make the inclusion of a number from 0 to 9 in the password mandatory.
      • Symbol (e.g., !@#$%^&*) — Select this option to make the inclusion of a symbol in the password mandatory.
      • Does not contain part of username — Select this option to exclude a part of the user name from the password requirements.
      • Does not contain first name — Select this option to exclude the first name of the user from the password requirements.
      • Does not contain last name — Select this option to exclude the last name of the user from the password requirements
    • Common password check — Optional. Select Restrict use of common passwords to check password strength, or if the password is in common use.
    • Password age — Select one or more of these password complexity options:
      • Enforce password history for last password — Select this option to define the number of passwords that must be different before a password can be reused. You can enter 1 to 24 passwords.
      • Minimum password age is — Enter the number of hours or days that a password can be used before it must be changed. The valid range is 1 to 999.
      • Password expires after days — Enter the number of days a password remains valid. The valid range is 1 to 999.
      • Prompt user days before password expires — Enter the number of days a user is notified before their password expires.
    • Lock out — Select one or more of these password lock out options:
      • Lock out user after unsuccessful attempts — Enter the number of attempts a user is allowed to successfully enter their password before their account is locked. The valid range is 1 to 100.
      • Account is automatically unlocked after minutes — Enter the number of minutes that a user must wait before their account is automatically unlocked. The minimum value is one minute.
      • Show lock out failures — Select this option to display the number of lock out failures.

      • Send lockout email to user — Select this option to notify users by email that their account is locked.

  1. Complete these fields in the Account Recovery area:
    • Self-service recovery options — Select one or more of these options:
      • SMS — Select this option to let users reset their password using SMS.
      • Voice Call — Select this option to let users reset their password using a voice call.
      • Email — Select this option to let users reset their password using an email.

      • Reset/Unlock recovery emails are valid for — Enter the number minutes, hours, or days that a password reset email remains valid. The minimum value is 60 minutes and the maximum value is 300000 minutes. An error message is returned if the value entered is above or below these values.

    • Password recovery question complexity — Enter the minimum number of characters that security answers must contain.
  2. In the Add Rule dialog, complete these fields:
    • Rule Name — Enter a name for the rule.
    • Exclude Users — Optional. Enter the names of users that you want to exclude from the rule.
    • IF User's IP is — Select one of these options:
      • Anywhere — Select this option to apply the rule to all users regardless of whether or not their IP address is listed in the Public Gateway IPs list.
      • In zone — Select this option to apply the rule to all users in a zone. Select All Zones to apply the rule to users in all zones, or enter a specific IP address.
      • Not in zone — Select this option to apply the rule to users outside a zone. Select All Zones to apply the rule to users outside all zones, or enter a specific IP address.
    • THEN User can — Select one of these user actions for the rule:
      • change password — Select this option to let users change their password.
      • perform self-service password reset — Select this option to let users reset their password. change password must be selected to enable this option.
      • perform self-service account unlock — Optional. Select this option to let users unlock their account.
  1. Click Create Rule.