ºÚÁϺ£½Ç91Èë¿Ú’s password settings give you the ability to set password length, complexity, originality, aging, and lockout rules for your entire organization to meet your security needs. The user account password governs access to not only the ºÚÁϺ£½Ç91Èë¿Ú user account, but also to all resources that the account can access, like computers and SSO applications.
You can create and enforce the use of strong passwords to protect your organization and its users from hackers and security breaches. You can also reduce the number of lockouts by setting a lockout reset counter after the last failed login attempt.
There are various guidelines for password complexity and compliance. Be sure to enforce password complexity requirements that adhere to your org’s security policy standards.
Password Settings
Considerations
- MacOS - ºÚÁϺ£½Ç91Èë¿Ú password complexity requirements are enforced by the device. This means that any changes made to password settings will also apply to unmanaged local users of ºÚÁϺ£½Ç91Èë¿Ú devices and not just for ºÚÁϺ£½Ç91Èë¿Ú-managed users on the device.
- Windows - ºÚÁϺ£½Ç91Èë¿Ú password complexity requirements are enforced by the device. This means that any changes made to password settings will also apply to unmanaged local users of ºÚÁϺ£½Ç91Èë¿Ú devices and not just for ºÚÁϺ£½Ç91Èë¿Ú-managed users on the device.
- Local password complexity requirements are enforced for non-ºÚÁϺ£½Ç91Èë¿Ú managed users on the ºÚÁϺ£½Ç91Èë¿Ú-managed device only if all four password requirements are turned on in the Admin Portal.
Setting Length, Complexity, and Originality Requirements
To set password minimum length, complexity and originality:
- Under Settings > Security > Password Settings, set the Password Minimum Length to the desired number of characters.
The minimum password length for new orgs is 12 characters by default. The minimum allowable setting is 8 characters. The maximum allowable setting is 64 characters.
- Optionally, select one or more Password Complexity requirements to apply to all user passwords in your org. Users won’t be able to create a password that doesn't adhere to the complexity you specify. The options are that a password:
- Must include a lowercase letter.
- Must include an uppercase letter.
- Must include a number.
- Must include a special character (including accented characters and symbols).
- Must not be a commonly used password.
- Must not include repeated or sequential patterns of 3 or more alpha-numeric characters.
- Must not include the username.
- Commonly used passwords include simple passwords like test123, cyber1234, name1234.
- Here are some examples of sequential patterns that are not allowed:
- Secur3Passw0rd!111, Secur3Passw0rd!aaaa, Secur3Passw0rd!123, Secur3Passw0rd!ABCD
- Click Save to implement your changes. A confirmation modal appears.
- Users will need to comply with the selected requirements on their next password change. Click Apply to confirm.
- If you prefer to set a custom date by which your users must update their password, click Custom Date and select the target date from the calendar.
- New users added before this date must adhere to the updated password requirements. If existing users reset their password before this date, their updated password must adhere to the new requirements.
- New users added before this date must adhere to the updated password requirements. If existing users reset their password before this date, their updated password must adhere to the new requirements.
- If users don’t reset their password by this date, they may be locked out of their account and connected resources until they create a password that meets the new complexity requirements.
- An email is sent to all administrators for your organization and their users to notify them of the change.
Setting Aging Requirements
Setting Password Lockout
You can trigger account lockout to protect your managed devices. Account lockout is triggered from the User Portal and locks users out of the User Portal and device endpoints.
If a user becomes locked out while they are in a session, they will remain logged into their account until they log out. Once the user logs out, they won't be able to log back in until their account becomes unlocked.
Considerations:
- If a user has forgotten their password, they can reset it from the User Portal login page. Users are encouraged to change their passwords from their device to avoid out-of-sync passwords. Learn more about Change Your User Portal Password.
- Password lockout doesn't affect Google Workspaces or Microsoft 365 to accommodate self-service password reset via email.
- A user account can’t be locked out via persistent login attempts on a Linux device. Accounts will only lock out via repeated failed SSH attempts, or user portal attempts.
- After a user account is locked due to failed login attempts, admins can restore the account in their Admin Portal. Learn more about Unlock User Accounts.
- You can configure the actions taken when a user is locked out for Google Workspace, RADIUS, LDAP and M365/Entra ID via the ºÚÁϺ£½Ç91Èë¿Ú API.
- Optionally, under Settings > Security > Password Settings > Password Lockout select one or more requirements for lockout, then specify the numerical details of each. Learn more about the options below:
- (xxx) failed password attempts until lockout sets the number of times a user can fail logging in before it locks the account from being accessed.
- (between 5 - 90) minutes until locked account is automatically unlocked allows a user to log in to their User Portal without an admin’s help. If you select this option, users will see an error message on the User Portal login screen prompting them to try logging in again after the specified amount of time has passed.
- Note: If you enable this option, users that are currently locked out aren’t affected by this. If you disable this option, users that are scheduled to have their accounts unlocked aren’t affected and their accounts are unlocked after 10 minutes.
- (between 5 - 1440) minutes until failed password attempts counter is automatically reset reduces the amount of lockouts by resetting the counter to zero if the specified amount of time has elapsed since the last failed login attempt.
- Note: This is checked by default with a set time of 30 minutes until the counter is reset.
- Click Save if these are your only changes.
- Duo (an MFA factor) failed attempts are not counted towards the total that would lock a user out of their JC account.
Setting Password Reset Options
When MFA is enforced through a conditional access policy for users accessing the ºÚÁϺ£½Ç91Èë¿Ú User Portal, but they have not yet enrolled in an MFA method, select Allow users to reset their password without MFA enrollment to allow users to be able to reset their password and prevent lockouts. On successful password reset and login with the new password, they will be prompted to set up MFA.
Password Recovery Email
Users can reset their passwords with a different email than their organization email. Password resets will go to both email address and resetting from the recovery email requires MFA. This address is editable from the ºÚÁϺ£½Ç91Èë¿Ú User Portal.
To enable Password Recovery Email:
- Under Settings > Security > Password Recovery Email, click Enable/Disable Password Recovery Email for users.
- Click Save if these are your only changes.
While an admin can define a recovery email for a user, the user will need to verify it in their User Portal > Profile > Recovery Email before it can be used.
Enable UID/GID (User ID)
A User ID (UID) is a unique value assigned by a Unix operating device to each user. Users are identified to their device by their UID, and usernames are generally used only as an interface for humans. The UID/GID and other access control criteria (POSIX) determine which device resources a user can access. The ºÚÁϺ£½Ç91Èë¿Ú Agent provides a method for manually assigning the UID and GID information for users within the ºÚÁϺ£½Ç91Èë¿Ú Administrator Portal.
Considerations:
- UID and GID management for users won’t handle conflict management in scenarios where a UID or GID already exists on the devices. This functionality expects that any existing UID and GID assignments with the device are known, and a unique identifier is provided within the ºÚÁϺ£½Ç91Èë¿Ú configuration.
- Duplicate UID/GID values are generally not recommended.
- A variety of problems can result from duplicate UID/GIDs, such as a failure to bind users to devices.
- ºÚÁϺ£½Ç91Èë¿Ú doesn’t prevent you from creating duplicate UID/GID values and won’t give a warning when you create duplicate values.
- Duplicate entries aren’t the same as UID/GID conflicts, which will appear as configuration alerts.
To enable UID/GID
- Under Settings > Security > UID/GID Management, click Enable/Disable UID/GID management for users.
- Click Save if these are your only changes.
Password Configurations
Configure the actions taken by various resources (Google Workspace, LDAP, Microsoft 365, & RADIUS) when a user has an expired ºÚÁϺ£½Ç91Èë¿Ú password or is locked out of their ºÚÁϺ£½Ç91Èë¿Ú account. This allows you to customize your organization's security settings. Learn more about configuring these resources below:
Considerations
- The only options that will appear are for integrations that are configured in your organization.
To access the password configuration settings
- Under Settings > Security > Password Configurations select the controls you’d like under your connected resources.
- Learn more about what specific action results in for each resource account below.
- Click Save if these are your only changes.
Google Workspace Password Expiration
- Maintain users: When a user's password expires, they remain in Google Workspace, and can authenticate, receive, and access emails.
- Suspend users: When a user's account password expires, the user is suspended in Google Workspace and can't authenticate or receive emails.
- Remove access: When a user’s account password expires, the user can’t authenticate or access their account, but their account can receive emails so that their company emails don’t bounce.
Google Workspace Account Lockout
- Maintain users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, they remain in Google Workspace and can authenticate, receive and access emails.
- Suspend users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, the user is suspended in Google Workspace and can't authenticate or receive emails.
LDAP Password Expiration
- Disable users: When a user's password expires, they remain in LDAP, but aren't able to authenticate to the LDAP service.
- Remove users: When a user's account password expires, the user is removed from the LDAP server and no longer exists in the LDAP service.
LDAP Account Lockout
- Disable users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, they remain in LDAP, but aren't able to authenticate to the LDAP service.
- Remove users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, the user is removed from the LDAP server and no longer exists in the LDAP service.
Microsoft 365 Password Expiration
- Maintain users: When a user's password expires, they remain in Microsoft 365, and can authenticate, receive, and access emails.
- Suspend users: When a user's account password expires, the user is suspended in Microsoft 365 and can't authenticate or receive emails.
Microsoft 365 Account Lockout
- Maintain users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, they remain in Microsoft 365 and can authenticate, receive and access emails.
- Suspend users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, the user is suspended in Microsoft 365 and can't authenticate or receive emails.
RADIUS Password Expiration
- Maintain users: When a user's password expires, they remain and can authenticate to the RADIUS server.
- Remove users: When a user's account password expires, the user is removed from the RADIUS server and can no longer authenticate to the server.
RADIUS Account Lockout
- Maintain users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, they remain on the RADIUS server can can authenticate to the server.
- Remove users: When a user is locked out of ºÚÁϺ£½Ç91Èë¿Ú, the user is removed from the RADIUS server and can no longer authenticate to the server.
Additional Resources
- Enroll: