Password Requirements
To ensure the security of the mail server and its mailboxes, domain administrators can contribute to the minimum requirements for user passwords. This includes things like setting requirements for how a password is generated (character count, upper/lowercase, etc.) as well as whether passwords expire, whether previous passwords can be used, and more.
NOTE: The system administrator has the ability to set a baseline for password requirements that all users must follow. When this occurs, those password requirement settings will be disabled for domain administrators while others can be toggled on or off. This allows domain administrators to strengthen password requirements for their users, but they will not be able to reduce the requirements that were set as a baseline.
For example, a system administrator may set some password requirements, such as passwords must have a minimum of 12 characters and require at least number, one capital letter, and one lowercase letter. When these are set, the domain administrator can only add additional requirements (e.g., require at least one symbol), but they cannot remove any of the other requirements.
When accessing Password Requirements, the following tabs are available, and each tab has its own cards:
Options
This page allows a domain administrator to modify the baseline requirements set by the system administrator.
Requirements
- Minimum Password Length - Enter the minimum number of characters the password must have.
- At least one number - Select this option to force users to include a number in the password.
- At least one capital letter - Select this option to force users to include a capital letter in the password.
- At least one lowercase letter - Select this option to force users to include a lowercase letter in the password.
- At least one symbol - Select this option to force users to include a symbol in the password.
- May not match username - Select this option to ensure that the username and password do not match.
Options
- Prevent common passwords - Select this option to prevent users from configuring passwords that are included in the list of commonly used, insecure passwords.
- Prevent previous passwords reuse - Select this option to prevent users from using any previously used passwords. Note: This setting prohibits old passwords from being used indefinitely. It is not based on a time interval.
- Previous Passwords to Block - Some administrators will allow re-use of passwords after a certain amount of time, or after some number of rotations. This number reflects the number of times a new password needs to be used before a password can be re-used. By default, this is set to 0, meaning passwords can never be re-used.
- Skip enforcement for existing passwords - Select this option to skip existing users when making changes to password requirements -- meaning the changes will only affect new users or new passwords.
- Enable password retrieval - Select this option to allow users to reset their password if they forget it. Note: In order for users to utilize password retrieval, they must have a Recovery Address configured in their account settings.
Expiration
Password expiration is based on the date/age of the user's current password, NOT when the password expiration setting is enabled. This means that users who have not changed their passwords in a long time will be required to change them almost immediately upon enabling the "Passwords expire automatically" setting.
As an example, let's say you enabled password expiration today and set the threshold to 1 month. This is the expected behavior for the following user scenarios:
- If the user changed their password last week, their password will not be expired. Instead, it will expire in 3 weeks (when the password is 1 month old).
- IF the user changed their password last year, their password is over the 1-month threshold and will be expired immediately.
- If the user was created 2 weeks ago and has never changed their password, their password will not be expired. Instead, it will expire in 2 weeks (when the password is 1 month old).
- If the user was created 2 months ago and has never changed their password, their password is over the 1-month threshold and will be expired immediately.
Initially, "Passwords expire automatically" is disabled. Enabling it offers the following settings:
- Password Expiration (Months) - The number of months that a password is valid. After the specified time, a user's outgoing SMTP will be disabled and a password change will be forced upon Web interface login. Move the slider to the right to enable this setting. Note: If a user's 'Disable password changes' setting is enabled, their password will not expire.
- User Notification Timing (Days separated by commas) - The interval(s) used to notify users of when their password will expire or when their auto-block grace period will end and, subsequently, their outgoing SMTP will be disabled. The default values are 28, 14, 7, 3, 2, 1 days. This means SmarterMail will send out warning messages to the user to change their password 28 days, 14 days, 7 days, 3 days, 2 days and 1 day before their password officially expires or the grace period ends if their password violates the requirements. Note: SmarterMail will send one, single notification for all missed intervals. For example, imagine "Auto-block Grace Period" is set for 30 days and the "User Notification Timing" is set at 60, 45, 25, 10, 2, 1. When a user is in violation, SmarterMail will send a single notification for the 60 and 45 day intervals then continue as normal at the 25-day interval.
- Disable outbound mail after grace period ends - Select this option to disable outgoing SMTP after the auto-block grace period ends when a user's password does not meet the password requirements.
- Auto-block Grace Period (Days) - Available when the "Disable outbound mail..." setting is enabled. This is the number of days a user can wait to update their password before outgoing SMTP is disabled due to password policy violation. Note: This setting only applies if the "Disable outgoing SMTP when auto-block grace period ends" setting is enabled.
Password Violations
The Password Violations tab offers administrators a way to find users that aren't following the password requirements that have been set up. For any Users who appear on this list, the administrator is able to either email the users individually, or force their non-compliant password to expire. This latter action means that the user will be forced to change their password the next time they log in to their email account. In addition, it's possible to export a list of the non-compliant users in CSV format.
When Users appear on this page, the following information will be available:
- Username - The username of the non-compliant account
- Authentication - The Authentication Mode used by the account: SmarterMail or Active Directory.
- Domain - The domain name that's associated to the Username.
- Password Changes Disabled - If a specific user has the ability to change their password disabled, their user is marked accordingly in this column.
- Violations - The number of password requirement violations encountered for the User.
Expired Passwords
By default, this tab displays all accounts set up for the domain. The numbers displayed on the tab show the number of passwords that have expired over the total number of accounts set up. For example, that tab may show 10/275, meaning 10 accounts out of 275 total have passwords that have expired. This tab could, of course, also show 0/275 if there are no expired passwords.
Depending on the business rules used for the domain, the domain administrator has some actions that can be performed on each account, which are detailed below. Each account is listed and the following information is displayed:
- Username - The account that is set up.
- Authentication - The type of authentication used for the account, either "Local" or "Active Directory", generally. Local authentication means the account owner set their own password.
- Expired - If the user's password is expired, a check mark appears in this column.
- Password Age - How old the password is. For example, 2 years, 3 days, 15 minutes, etc.
As mentioned, administrators have the ability to take action on users, either users who have expired passwords or users who do not. These actions include:
- Send Email - Opens a modal window that allows the administrator to create, and send, an email to the user(s) informing them that they need to reset their password. However, the administrator can customize the entire message to say what they want.
- Expire Password - Will automatically expire password(s) for the user(s), forcing a change the next time the user attempts to log in.
Password Age
By default, this page will list all users and the respective age of the passwords assigned to each. This allows system administrators to find users who may, due to the age of their password, want to change said password. In addition, it can help find little-used accounts that may be ripe for compromise if their password is over a certain age. Each account is listed and the following information is displayed:
- Username - The account that is set up.
- Two-Step Authentication - Whether the username has Two-Step Authentication enabled.
- Expired - If the user's password is expired, a check mark appears in this column.
- Password Age - How old the password is. For example, 2 years, 3 days, 15 minutes, etc.