Password Policy for a secure organization

The Admins of your organization can define a set of rules on how a user should create a password for their custom email address, to keep the email account secure. By setting a password policy, you can mandate users to use a strong password and make sure your account stays secure.

Configure Password Policy

  1. Login to Zoho Mail Admin Console
  2. Navigate to Security and Compliance in the left pane. 
  3. Click Security and go to Password Policy
  4. On the Password Policy section, specify the values for the respective fields. You can also choose to send a password expiry notification to the users and remind them to change their passwords by checking the "Send password expiry notification to users" option.
  5. Once done, click Update.

You can also reset the edits you made from the previous setting by clicking Reset and go back to the initial configuration that Zoho Mail set as default by clicking Reset To Default.

Rules you can set under Password Policy

Minimum password length

You can set the minimum length of Password for your organization members in the parameter. Once you set the minimum length, the next time the users change their Passwords, they will be forced to choose a password with minimum characters chosen in the Policy. By default, the minimum length required for passwords is 8.

You can make it even higher, in case you want the users to use a passphrase instead of a password but can't go lower than 8.

Minimum number of passwords in history

This ensures that the users do not repeat their previous passwords. The repeated use of the same passwords makes the passwords easily guessable by others. The optimum value for the minimum number of passwords not to be repeated is 3. If you specify 3, the users will not be able to reuse the previous 3 passwords they have used.

Minimum number of special characters

In addition to the Mixed Password criteria, the admin can specify a condition about the minimum number of special characters ($,#,^,@, etc.) in the Password. The optimum number of Special Characters is 1 or 2.

Minimum number of Numeric Characters

Similar to the number of special characters, the administrator can also specify the condition about the minimum number of numeric characters (0-9) in the Password. The optimum number of numeric characters is 1 or 2.

Password Expiry Period(Days)/ Password Duration

The Passwords can be set to expire periodically, where the users will change their passwords after every 'n' number of days. This ensures that the users change their passwords periodically. The Password of each user will automatically expire after the 'n' number of days from the date the Password is changed. When you set up the policy for the first time, the policy will be in effect from the previous date on which the password was changed and not from the date on which the Policy has been enforced. 

Ex: If you want to force all the users to change their Passwords, you can set the expiry period as '1' day so that they will all be forced to change their passwords in the next login. However make sure that you immediately reset the policy, as otherwise, the users will be asked to change the password every day they login. 

The optimum value for Password expiry is 30 to 45 days.


These suggestions can vary based on the nature of the organization and its users.

Password best practices

In general, apart from the Password policy, ensure that your users follow the following best practices. 

  • Never reuse passwords
  • Use Passphrases instead of Passwords
  • Do not share the passwords with anyone
  • Do not write down the passwords
  • To have a memorable but strong password, keep a memorable passphrase and swap alphabetic characters with similar-looking numbers or symbols (Ex: use 0 instead of O, use @ instead of a., and so on).
  • Ensure that you log out of your accounts at the end of the day
  • Do not save your password in the browsers
  • Never give out your password in phone calls or emails
  • Do not login to your account on Public computers if it looks suspicious

Still can't find what you're looking for?

Write to us: