Password Expiration

If you are an administrator, you can make it compulsory for your users to reset their passwords at regular intervals. You can decide how old a password can be before it expires and needs to be reset (for example, every 100 days).

Password history settings are managed in the General Settings tab, while password expiration settings are managed in the Password Expiration tab.

Specops Password Policy password expiration settings

To set a maximum password age, select the Maximum password age (days) checkbox and specify the time (in days) that can elapse before a user’s password expires.

Example: enter 100 if you want a password to expire 100 days after it was last reset or changed.

Specops Password Policy password expiration settings

Length-based password aging

You can also add a “length-based aging” period on top of the standard password expiration period. Length-based aging encourages users to create longer and more secure passwords, and rewards them for doing so, by giving them extra time before their passwords expire.

To activate length-based password aging, check the Length based password aging checkbox.

Here you can configure the following:

  • Number of expiration levels: 1 to 5 levels, with each level awarding the user more time until password expiration. The length of each level is determined by the Characters per level setting.
  • Characters per level: number of characters for each level.
  • Extra days per level: how many extra days in addition to the Maximum password age are awarded for each level the user reaches.
NOTE
If the Maximum password age (Maximum password age + length based password aging) exceeds the number of days set in the Windows domain password policy, the maximum password age set in Specops Password Policy will not work since the user would be prompted to change their password by the built-in policy before the maximum password age set is reached. To resolve this, increase the built-in password policy to match or exceed the maximum password age set in Specops Password Policy. You can click on the warning that is displayed to see the value of the built-in domain password policy.

In the Number of expiration levels field, enter how many expiration levels there will be. An expiration level determines how many extra days the user will have until their password expires. This depends on how long the user’s password is. To increase the number of levels, move the slider to the right. The maximum number of expiration levels that can exist is 5.

In the Characters per level field, specify the character range per level, by moving the slider.

In the Extra days per level field, specify how many extra expiration days each level is worth.

Specops Password Policy password expiration settings

Example: You could set the Maximum password age (days) field to 180 days. You could then select 3 expiration levels, with 3 characters per level, with 30 extra days per level:

Specops Password Policy password expiration settings
NOTE
The minimum password length is 5 characters.

This means:

  • Passwords that are 5-7 characters in length, fall under Expiration Level 1. Passwords under Expiration Level 1 expire in 180 days.
  • Passwords that are 8-10 characters in length, fall under Expiration Level 2. Passwords under Expiration level 2 expire in 210 days.
  • Passwords that are 11-20 characters in length, fall under Expiration Level 3. Passwords under Expiration Level 3 expire in 240 days.
Specops Password Policy password expiration settings

The password length per expiration level is dependent on what you have specified in the Maximum password length and Minimum password length fields under the Password Rules tab.

The password length for each expiration level will change if you modify the Maximum/Minimum password length fields.

Alt text for this image

If you select the Disable expiration for the last level checkbox, passwords that meet the requirements for the final expiration level in the list will not expire. In the example below, passwords that meet the requirements for Level 3 will not expire.

Specops Password Policy password expiration settings

Graphical representation of password aging

When changing their password, users must type enough characters to satisfy the minimum password length. They can then add additional characters to their password, on top of the basic required character length. When using Specops Password Policy in combination with Specops uReset (version 8.4 and above), users will get visual feedback on the length of their chosen password. If three expiration levels have been configured, the user will see three boxes, with each box representing an expiration level.. When a user enters enough characters to satisfy the requirements for a level, the box will turn green.

Specops Password Policy password expiration settings
Graphical representation of password aging (only when using uReset 8.4 and above)

Expiration warning notifications

You can warn your users when their passwords are due to expire. You can configure two types of warning notifications:

Warning at logon notification

You can configure a warning notification to appear when your user’s sign in, if their password is due to expire, in the Password expiration notifications section. To enable this notification, select the Warning at logon before expiration (days) check box and enter a number. For example: if you want the notification to appear 1 day before a user’s password is due to expire, enter 1.

Specops Password Policy password expiration login settings

Email warning notification

You can configure an email warning, that will be sent to your users a set number of days before their password is due to expire.

Specops Password Policy password expiration login settings

To configure a warning email, follow these steps:

NOTE
The SMTP settings for all outgoing mails from Specops Password Policy are configured in the Password Policy Domain Administration Tool: Domain > Domain Settings > SMTP Settings > Edit
  1. Select the Send email warning (days) checkbox and specify a number. For example: if you want the email to be sent to your users 1 day before their password is due to expire, enter 1.
  2. Select the language for the outgoing mail in the dropdown.
    NOTE
    Some information in the outgoing mail is generated by Password Policy. Here you can set the language for that information. Specifically, the placeholders affected are %DynamicExpirationInfo% and %PasswordRules%. To see what language files are installed, in the Domain Administration Tool go to Domain > Language Files.
  3. The From email and From name fields are not accessible here and are populated automatically by the information provided in the SMTP settings, notably the Default Sender Email Address and Default Sender Display Name fields there.
  4. In the To field, enter the email address the mail should be sent to. Enter placeholder %UserEmail% to send the mail to the affected user.
  5. In the CC field enter any other email addresses the notification needs to be sent to. her too, placholders (e.g. %ManagerEmail%) can be used.
  6. In the Subject field, enter the subject for the notification email. Use placeholders to generate a subject line that provides information for the user. More information on placeholder texts can be found on the Notifications page.
  7. Configure the Body text of the email notification by clicking the Edit button. Here again placeholders can be used (they are accessible through the % icon in the ribbon).
    NOTE
    Emails can be edited in rich text format or HTML (click the Toggle HTML view button in the ribbon).