If you are an administrator, you can make it compulsory for your users to reset their passwords at regular intervals. You can decide how old a password can be before it expires and needs to be reset (for example, every 100 days).
Password history settings are managed in the General Settings tab, while password expiration settings are managed in the Password Expiration tab.
To set a maximum password age, select the Maximum password age (days) checkbox and specify the time (in days) that can elapse before a user’s password expires.
Example: enter 100 if you want a password to expire 100 days after it was last reset or changed.
Length-based password aging
You can also add a “length-based aging” period on top of the standard password expiration period. Length-based aging encourages users to create longer and more secure passwords, and rewards them for doing so, by giving them extra time before their passwords expire.
To activate length-based password aging, check the Length based password aging checkbox.
Here you can configure the following:
- Number of expiration levels: 1 to 5 levels, with each level awarding the user more time until password expiration. The length of each level is determined by the Characters per level setting.
- Characters per level: number of characters for each level.
- Extra days per level: how many extra days in addition to the Maximum password age are awarded for each level the user reaches.
In the Number of expiration levels field, enter how many expiration levels there will be. An expiration level determines how many extra days the user will have until their password expires. This depends on how long the user’s password is. To increase the number of levels, move the slider to the right. The maximum number of expiration levels that can exist is 5.
In the Characters per level field, specify the character range per level, by moving the slider.
In the Extra days per level field, specify how many extra expiration days each level is worth.
Example: You could set the Maximum password age (days) field to 180 days. You could then select 3 expiration levels, with 3 characters per level, with 30 extra days per level:
- Passwords that are 5-7 characters in length, fall under Expiration Level 1. Passwords under Expiration Level 1 expire in 180 days.
- Passwords that are 8-10 characters in length, fall under Expiration Level 2. Passwords under Expiration level 2 expire in 210 days.
- Passwords that are 11-20 characters in length, fall under Expiration Level 3. Passwords under Expiration Level 3 expire in 240 days.
The password length per expiration level is dependent on what you have specified in the Maximum password length and Minimum password length fields under the Password Rules tab.
The password length for each expiration level will change if you modify the Maximum/Minimum password length fields.
If you select the Disable expiration for the last level checkbox, passwords that meet the requirements for the final expiration level in the list will not expire. In the example below, passwords that meet the requirements for Level 3 will not expire.
Graphical representation of password aging
When changing their password, users must type enough characters to satisfy the minimum password length. They can then add additional characters to their password, on top of the basic required character length. When using Specops Password Policy in combination with Specops uReset (version 8.4 and above), users will get visual feedback on the length of their chosen password. If three expiration levels have been configured, the user will see three boxes, with each box representing an expiration level.. When a user enters enough characters to satisfy the requirements for a level, the box will turn green.
Expiration warning notifications
You can warn your users when their passwords are due to expire. You can configure two types of warning notifications:
Warning at logon notification
You can configure a warning notification to appear when your user’s sign in, if their password is due to expire, in the Password expiration notifications section. To enable this notification, select the Warning at logon before expiration (days) check box and enter a number. For example: if you want the notification to appear 1 day before a user’s password is due to expire, enter 1.
Email warning notification
You can configure an email warning, that will be sent to your users a set number of days before their password is due to expire.
To configure a warning email, follow these steps:
- Select the Send email warning (days) checkbox and specify a number. For example: if you want the email to be sent to your users 1 day before their password is due to expire, enter 1.
Select the language for the outgoing mail in the dropdown.
Some information in the outgoing mail is generated by Password Policy. Here you can set the language for that information. Specifically, the placeholders affected are %DynamicExpirationInfo% and %PasswordRules%. To see what language files are installed, in the Domain Administration Tool go to Domain > Language Files.
- The From email and From name fields are not accessible here and are populated automatically by the information provided in the SMTP settings, notably the Default Sender Email Address and Default Sender Display Name fields there.
- In the To field, enter the email address the mail should be sent to. Enter placeholder %UserEmail% to send the mail to the affected user.
- In the CC field enter any other email addresses the notification needs to be sent to. her too, placholders (e.g. %ManagerEmail%) can be used.
- In the Subject field, enter the subject for the notification email. Use placeholders to generate a subject line that provides information for the user. More information on placeholder texts can be found on the Notifications page.
- Configure the Body text of the email notification by clicking the Edit button. Here again placeholders can be used (they are accessible through the % icon in the ribbon).
Emails can be edited in rich text format or HTML (click the Toggle HTML view button in the ribbon).