Password Policy for Organization
A Password policy is a set of rules defined to increase account security and to encourage users to create and use strong passwords. Password policies are a mandatory part of the organizational security policies, to ensure that the accounts are not hacked.
You can define the Password policy in Zoho Mail Control Panel, using which you can create rules for various parameters like password expiry, minimum length and so on.
Table of Contents
The password policy can be configured to have one or multiple rules from the following parameters:
The Passwords can be set to expire periodically, where the users will change their passwords after every 'n' days. This ensures that the users change their passwords periodically. The Password of each user will automatically expire after 'n' number of days from the date the Password is changed. When you set up the policy for the first time, the policy will be in effect from the previous date on which the password was changed and not from the date on which the Policy has been enforced.
Ex: If you want to force all the users to change their Passwords, you can set the expiry period as '1' day so that they will all be forced to change their passwords in the next login. However make sure that you immediately reset the policy, as otherwise, the users will be asked to change the password every day they login.
The optimum value for Password expiry is 30 to 45 days, however, it may vary depending on the nature of the organization.
You can set the minimum length of Password for your organization members in the parameter. Once you set the minimum length, the next time the users change their Passwords, they will be forced to choose password with minimum characters chosen in the Policy. By default, the minimum length required for passwords is 8.
You can make it even higher, in case you want the users to use a passphrase instead of a password.
This ensures that the users do not repeat their previous passwords. The repeated use of same passwords makes the passwords easily guessable by others. The optimum value for minimum number of passwords not to be repeated is 3.
If you specify 3, the users will not be able to reuse the previous 3 passwords which they have used.
Mixed Password criteria makes the password stronger, since it requires mixed case characters in the password. The user needs to have at least one upper case alphabet (A to Z) and one lower case alphabet (a to z) in the password. Enforcing of mixed Password is ideal to ensure that all organization users have secure and strong passwords.
In addition to the Mixed Password criteria, the admin can specify a condition about the minimum number of special characters ($,#,^ etc.) in the Password. The optimum number of Special Characters is 1 or 2.
Similar to the number of special characters, the administrator can also specify the condition about the minimum number of numeric characters (0-9) in the Password. The optimum number of numeric characters is 1 or 2. These suggestions can vary based on the nature of organization and the users.
In general, apart from the Password policy, ensure that your users follow the following best practices.
- Never reuse passwords
- Use Passphrases instead of Passwords
- Do not share the passwords with anyone
- Do not write down the passwords
- To have a memorable but strong password, keep a memorable passphrase and swap alphabetic characters with similar looking numbers or symbols (Ex: use 0 instead of O, use @ instead of a. and so on).
- Ensure that you logout of your accounts at the end of the day
- Do not save your password in the browsers
- Never give out your password in phone calls or emails
- Do not login to your account in Public computers if it looks suspicious