Enable strong password settings for password policies
Password policies allow you to define authentication policies and associated rules to enforce password settings for your end users.
HealthInsight task recommendation
Enable strong password settings to enforce strict password policies that define settings for password lockout, history, minimum age, and minimum length.
Recommended settings
| Lock out | Specify the maximum number of invalid password attempts before locking the user's account. This provides protection against brute-force password attacks. |
| Minimum length | Specify a minimum password length of at least eight characters. Longer passwords provide greater protection against brute force attacks. |
| History | Specify the number of distinct passwords users must create before reusing a password. This prevents users from reusing a previous password when resetting their password. If there's a compromise that requires a password reset, you want to ensure users can't reuse compromised credentials. |
| Password age | Specify the minimum time interval required between password changes. This setting prevents users from bypassing the enforce password history requirement. |
| Common Password Check | Restrict the use of common passwords. |
End-user experience and impact
The following information provides information about how end users are impacted when password settings are configured.
| Lockout |
Users will be unable to access their accounts after multiple failed sign-ins.
Admins configure the account unlock options in the lockout options in password policy rules. If an admin doesn't enable any self-service or auto-unlock options, users must ask their admin to unlock their account. When admins configure lockout policies, they should consider typical user sign-in patterns and security to determine how many attempts are allowed. A lockout policy that allows only a low number of attempts may cause more lockouts. For example, users may mistype passwords when signing in from a mobile device or when they've recently changed their passwords. Some applications may auto-retry cached passwords when they're changed, resulting in user lockouts. However, a lockout policy with too many attempts allowed increases the risk of credential attacks. |
| Minimum length |
Longer passwords are more difficult for users to remember, especially when combined with other complexity requirements (for example, require uppercase, lowercase, symbols, and so on).
NIST recommends longer passwords that are easy to remember ("phrase-like") but more difficult to obtain from brute force attacks. |
| History | Requires users to use a different password when resetting their password. This may result in an increased number of lockouts or password resets due to users forgetting their password. |
| Password age |
Prevent users from resetting their passwords before the password has reached the password age, and immediately after a previous password reset. Consider, for example, configuring a shorter password age with a longer password history to prevent password reuse. |
| Common Password Check | If a user chooses a password that matches one found on a list of commonly used passwords, they can't use that password. |
Configure password settings for password policies
- In the Admin Console, go to .
- In the Setup tab, click Password. To edit policies, click the .
- Select a Password Policy and click Edit.
- Edit the password settings based on the recommendations.
- To enable each setting, select the checkboxes for Password history, Password age, Lock out, and Common password check.