Enforce and monitor password requirements for users

As an admin, you tin enforce password requirements to protect your users' managed Google Accounts and meet your organization's compliance needs. You can also see which of your users' passwords are weak by monitoring their password forcefulness.

Help continue user accounts secure

  • Crave a potent countersign—You tin force users with weak passwords to change them. You can besides require a certain number of characters for passwords.
  • Prevent users from reusing sometime passwords.
  • Explicate the importance of strong passwords—To help users create stiff passwords, share these password tips.

Before you begin

When password policies don't employ

  • Google can't enforce password requirements on passwords set up using a hash method—for example passwords created using the bulk user upload tool, the Directory API, or sync tools such as Countersign Sync or Google Cloud Directory Sync. For details, visit the Google Workspace Admin SDK or see About Countersign Sync.
  • Countersign policies don't apply to any user passwords that yous reset manually. If you lot manually reset a password, make sure to select Enforce password policy at next sign-in for that user.
  • The countersign policies you configure don't employ to users who are authenticated on a third-political party identity provider (IdP) using SAML.

What makes a countersign potent

If you enforce strong passwords, Google uses a countersign strength-rating algorithm to ensure that a password:

  • Has a high level of randomness, chosen password entropy, which you can reach using a long cord of characters of different types, such equally uppercase letters, lowercase letters, numerals, and special characters

    Annotation: A strong password doesn't need to have a specific number of characters of a specific blazon.

  • Is not a usually used weak password, like "123456" or "password123"
  • Is not piece of cake to gauge, such as simple words or phrases, or patterns in which the countersign is the aforementioned as the username
  • Is not known to be compromised—that is, information technology'due south not in a database of breached accounts

How password expiration works

Password expiration is turned off by default because research has shown little positive affect on security. Yous can set user's passwords to expire afterward a number of days (such every bit 90 or 180 days) if required for compliance reasons.

Password alerts

If you set a password expiration period, users receive pop-up alerts (but not e-mail reminders) in their Google services, such as Gmail and Calendar, 30 days before the countersign expiration date. Users can alter their password or close the warning. If a user doesn't change their countersign, the warning appears the next time they sign in to their account. The alarm stops actualization subsequently the user closes it 3 times. However, after password expiration, the user must change their password at the next sign-in.

When users need to change their password

When you first set upward a password expiration policy, some users might exist prompted to change their passwords immediately, while others won't need to modify their passwords right away. For case:

  • If you fix up a xc-24-hour interval expiration policy, and a user last changed their password 100 days agone, that user's countersign will expire as soon every bit you set up the policy. They'll be prompted to change their countersign the next fourth dimension they endeavor to sign in to their account.
  • If you set up a xc-twenty-four hour period expiration policy, and a user concluding inverse their password thirty days ago, that user's password hasn't expired yet. After 60 days, they'll be prompted to change their password the next time they endeavour to sign in.

Set password requirements

  2. From the Admin console Home page, go to Security and then Password direction.

  3. On the left, select the organizational unit where you want to set the password policies.

    For all users, select the top-level organizational unit of measurement. Otherwise, select some other organization to make settings for its users. Initially, an organization inherits the settings of its parent organization.

  4. In the Strength department, bank check the Enforce strong password box.

    Learn more than about strong passwords.

  5. In the Length section, enter a minimum and maximum length for your users' passwords. It tin be between 8 and 100 characters.

  6. (Optional) To strength users to modify their countersign, check the Enforce password policy at next sign-in box.

    If you don't check this selection, users with weak passwords can access your organization's Google services until they decide to change their password.

  7. (Optional) To allow users to reuse an erstwhile password, cheque the Allow countersign reuse box.

    You cannot gear up the password history that Google reviews to foreclose reuse.

  8. In the Expiration section, select the period of time later on which passwords expire.
  9. Click Override to keep the setting the same, even if the parent setting changes.
  10. If the organizational unit's status is already Overridden, choose an selection:
    • Inherit—Reverts to the same setting equally its parent.
    • Save—Saves your new setting (even if the parent setting changes).
  11. Give your users tips for creating a strong password.

Monitor your users' password strength

  2. From the Admin panel Home page, go to Reports.

  3. Practise either of the following:

Related topics

  • Set up countersign requirements for managed mobile devices
  • Manage user security settings

Was this helpful?

How can nosotros improve it?