As a user management admin, you can enforce password requirements to protect your users’ managed Google Accounts and meet your organization’s compliance needs. You can also see which of your users’ passwords are weak by monitoring their password strength.
Help keep user accounts secure
- Require a strong password—You can force users with weak passwords to change them. You can also require a certain number of characters for passwords.
- Prevent users from reusing old passwords.
- Explain the importance of strong passwords—To help users create strong passwords, share these password tips.
When password policies don't apply
- You can update user passwords as a hash by using the bulk user upload tool or the G Suite Password Sync tool. However, if you apply password policies to an entire organizational unit and then upload passwords as a hash for a subset of users in that unit, the policies are not enforced for that subset of users. For details, see the G Suite Admin SDK and About G Suite Password Sync.
- Password policies don't apply to any user passwords that you reset manually. If you manually reset a password, make sure to select Enforce password policy at next sign-in for that user.
- The password policies you configure don't apply to users who are authenticated on a third-party identity provider (IdP) using SAML.
Password expiration is turned off by default because research has shown little positive impact on security. You can set user's passwords to expire if required for compliance reasons.
How it works
30 days before the password expiration date, users receive alerts in their Google services such as Gmail and Calendar. Users can change their password or close the alert. If a user doesn't change their password, the alert appears the next time that user signs in to their account. After the user closes the alert 3 times, the alert won't appear again.
What determines when a user needs to change their password?
When you first set up a password expiration policy (for example, for 30, 60, 90, 180, or 365 days), some users might be prompted to change their passwords immediately, while others won't need to change their passwords right away. For example:
- If you set up a 90-day expiration policy, and a user within your organization last changed their password 100 days ago, that user's password will expire as soon as you set up the policy. Therefore, the next time they try signing in to their account, that user will be prompted to change their password immediately.
- If you set up a 90-day expiration policy, and a user within your organization last changed their password 30 days ago, that user's password hasn't expired yet. Therefore, they won't be required to change their password immediately, but will be required to change it in 60 days.
Set password requirements
From the Admin console Home page, go to SecurityPassword management.
- On the left, select the organizational unit where you want to set the password policies.
For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization.
- In the Strength section, check the Enforce strong password box.
Learn more about strong passwords.
In the Length section, enter a minimum and maximum length for your users' passwords. It can be between 8 and 100 characters.
- (Optional) To force users to change their password, check the Enforce password policy at next sign-in box.
If you don’t check this option, users with weak passwords can access your organization’s Google services until they decide to change their password.
- (Optional) To allow users to reuse an old password, check the Allow password reuse box.
You cannot set the password history that Google reviews to prevent reuse.
- In the Expiration section, select the period of time after which passwords expire.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
- Give your users tips for creating a strong password.
Monitor your users’ password strength
From the Admin console Home page, go to Reports.
- Do either of the following:
- To see password strength listed by user, go to ReportsUser reportsAccounts. Learn more about Account reports.
- To see password strength information in graph form, go to ReportsApps ReportsAccounts.