Enforce and monitor password requirements for users

Equally an admin, you can enforce password requirements to protect your users' managed Google Accounts and meet your system'southward compliance needs. You can also run into which of your users' passwords are weak past monitoring their password strength.

Help continue user accounts secure

  • Crave a stiff password—You tin force users with weak passwords to change them. You can also require a certain number of characters for passwords.
  • Prevent users from reusing erstwhile passwords.
  • Explicate the importance of strong passwords—To help users create stiff passwords, share these password tips.

Before you brainstorm

When countersign policies don't apply

  • Google can't enforce password requirements on passwords set using a hash method—for case passwords created using the bulk user upload tool, the Directory API, or sync tools such every bit Password Sync or Google Cloud Directory Sync. For details, visit the Google Workspace Admin SDK or encounter Most Password Sync.
  • Password policies don't employ to any user passwords that you reset manually. If you manually reset a password, make sure to select Enforce password policy at next sign-in for that user.
  • The password policies you configure don't utilise to users who are authenticated on a tertiary-party identity provider (IdP) using SAML.

What makes a password strong

If yous enforce stiff passwords, Google uses a password strength-rating algorithm to ensure that a countersign:

  • Has a loftier level of randomness, called password entropy, which you tin achieve using a long cord of characters of different types, such as uppercase letters, lowercase letters, numerals, and special characters

    Note: A strong countersign doesn't demand to have a specific number of characters of a specific type.

  • Is not a commonly used weak password, like "123456" or "password123"
  • Is not easy to guess, such equally simple words or phrases, or patterns in which the password is the same as the username
  • Is not known to be compromised—that is, it's non in a database of breached accounts

How password expiration works

Password expiration is turned off by default because research has shown fiddling positive bear upon on security. You can set user's passwords to expire later on a number of days (such every bit ninety or 180 days) if required for compliance reasons.

Password alerts

If you prepare a countersign expiration flow, users receive pop-up alerts (but not electronic mail reminders) in their Google services, such as Gmail and Agenda, xxx days before the password expiration date. Users tin alter their password or close the warning. If a user doesn't change their password, the alarm appears the next time they sign in to their account. The alarm stops appearing after the user closes it iii times. Nevertheless, later countersign expiration, the user must change their password at the next sign-in.

When users need to change their password

When you first gear up a password expiration policy, some users might exist prompted to change their passwords immediately, while others won't demand to change their passwords right away. For example:

  • If you set upward a xc-twenty-four hours expiration policy, and a user concluding inverse their password 100 days ago, that user's password will expire as soon equally you gear up up the policy. They'll be prompted to change their password the next fourth dimension they attempt to sign in to their account.
  • If you set up a 90-twenty-four hour period expiration policy, and a user last changed their password xxx days ago, that user's countersign hasn't expired yet. Later on threescore days, they'll be prompted to change their password the next time they attempt to sign in.

Set countersign requirements

  2. From the Admin console Home page, get to Security and then Countersign management.

  3. On the left, select the organizational unit where you desire to prepare the password policies.

    For all users, select the acme-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an arrangement inherits the settings of its parent arrangement.

  4. In the Force section, cheque the Enforce potent password box.

    Acquire more about strong passwords.

  5. In the Length section, enter a minimum and maximum length for your users' passwords. It can be between viii and 100 characters.

  6. (Optional) To force users to change their password, check the Enforce countersign policy at next sign-in box.

    If you don't cheque this option, users with weak passwords tin access your organization's Google services until they determine to change their password.

  7. (Optional) To permit users to reuse an quondam password, bank check the Permit password reuse box.

    You cannot gear up the password history that Google reviews to prevent reuse.

  8. In the Expiration section, select the catamenia of fourth dimension after which passwords expire.
  9. Click Override to keep the setting the same, fifty-fifty if the parent setting changes.
  10. If the organizational unit's status is already Overridden, choose an selection:
    • Inherit—Reverts to the same setting as its parent.
    • Save—Saves your new setting (even if the parent setting changes).
  11. Give your users tips for creating a stiff password.

Monitor your users' password strength

  2. From the Admin console Home page, become to Reports.

  3. Practise either of the following:

Related topics

  • Ready password requirements for managed mobile devices
  • Manage user security settings

Was this helpful?

How tin we improve it?