Reference Material | Password expiration
If you are an administrator, you can make it compulsory for your users to reset their passwords at regular intervals. You can decide how old a password can be before it expires and needs to be reset (for example, every 100 days).
Password expiration settings are managed in the Password expiration section, located under the General Settings tab in Specops Password Policy.
To set a maximum password age, select the Maximum password age (days) checkbox and specify the time (in days) that can elapse before a user’s password expires.
Example: enter 100 if you want a password to expire 100 days after it was last reset or changed.
Length-based password aging
You can also add a “length-based aging” period on top of the standard password expiration period. Length-based aging encourages users to create longer and more secure passwords, and rewards them for doing so, by giving them extra time before their passwords expire.
To reveal the length-based aging configuration options, select the Bonus expiration for longer passwords checkbox.
When you select this checkbox, you will see the following configuration options:
In the Number of expiration levels field, enter how many expiration levels there will be. An expiration level determines how many extra days the user will have until their password expires. This depends on how long the user’s password is. To increase the number of levels, move the slider to the right. The maximum number of expiration levels that can exist is 5.
In the Characters per level field, specify the character range per level, by moving the slider.
In the Extra days per level field, specify how many extra expiration days each level is worth.
Example: You could set the Maximum password age (days) field to 180 days. You could then select 3 expiration levels, with 3 characters per level, with 30 extra days per level:
Note: The minimum password length is 5 characters.
- Passwords that are 5-7 characters in length, fall under Expiration Level 1. Passwords under Expiration Level 1 expire in 180 days.
- Passwords that are 8-10 characters in length, fall under Expiration Level 2. Passwords under Expiration level 2 expire in 210 days.
- Passwords that are 11-20 characters in length, fall under Expiration Level 3. Passwords under Expiration Level 3 expire in 240 days.
The password length per expiration level is dependent on what you have specified in the Maximum password length and Minimum password length fields under the Password Rules tab.
The password length for each expiration level will change if you modify the Maximum/Minimum password length fields.
If you select the Disable expiration for the last level checkbox, passwords that meet the requirements for the final expiration level in the list will not expire. In the example below, passwords that meet the requirements for Level 3 will not expire.
Graphical representation of password aging
When changing their password, users must type enough characters to satisfy the minimum password length. They can then add additional characters to their password, on top of the basic required character length. When using Specops Password Policy in combination with Specops uReset (version 8.4 and above), users will get visual feedback on the length of their chosen password. If three expiration levels have been configured, the user will see three boxes, with each box representing an expiration level.. When a user enters enough characters to satisfy the requirements for a level, the box will turn green.
Expiration warning notifications
You can warn your users when their passwords are due to expire. You can configure two types of warning notifications:
Warning at logon notification
You can configure a warning notification to appear when your user’s sign in, if their password is due to expire, in the Password expiration notifications section. To enable this notification, select the Warning at logon before expiration (days) check box and enter a number. For example: if you want the notification to appear 1 day before a user’s password is due to expire, enter 1.
Email warning notification
You can configure an email warning, that will be sent to your users a set number of days before their password is due to expire.
To configure a warning email, follow these steps:
- Select the Send email warning (days) checkbox and specify a number. For example: if you want the email to be sent to your users 1 day before their password is due to expire, enter 1.
- Click Configure and the Email expiration warning configuration window will open.
- In the SMTP Server name field, enter the name of your SMTP server. This is the name of the SMTP server that will be used to send the email.
- In the Username field, enter the username that will be used when logging on to the SMTP server for sending the email. Specifying a username for the email sender is optional. The email will be sent by the PDC emulator. If the server can send emails through the specified SMTP server without authentication, this field can be left blank.
- In the Password field, enter the password that will be used when logging on to the SMTP server for sending email. If you entered a username in the previous field, you must enter the corresponding password in this field.
- In the From field, enter the email address of the admin that is sending the warning email, then continue with step 4 below.
- In the Language file field, select the client language file that will be used to construct the password expiration warning email.
- Select the Exclude Rules Information checkbox, if you do not want to include information about password rules in the warning email. If this checkbox is unselected, a user’s password rules will be included in the body of the email.
- In the Additional Information field, you can customize the body of the email. The default body for the email is shown below:
- To confirm that the email sends successfully, click the Send test email button.
- When you have finished configuring the settings for the email, click OK.