Manage your users' password settings

As an administrator, you can enforce password requirements to protect your users’ managed Google Accounts and meet your organization’s compliance needs. You can also see which of your users’ passwords are weak by monitoring their password strength.

Help keep user accounts secure

  • Require a strong password—You can force users with weak passwords to change them. You can also require a certain number of characters for passwords.
  • Prevent users from reusing old passwords
  • Force users to change their passwords after a certain period of time—You can determine when users are asked to change their password. 30 days prior to password expiration, users get a reminder 4 times to change their password when they sign in. If they ignore the reminders, they’re forced to change their password the next time they sign in. However, if you set a user’s session length to never expire, they might not see a prompt to change the password, even after the password expires. For more information, see Set session length for Google services.
  • Explain the importance of strong passwords—To help users create strong passwords, share these password tips.​

Password policy considerations

  • You can update user passwords as a hash by using the bulk user upload tool or the G Suite Password Sync tool. However, if you apply password policies to an entire organizational unit and then upload passwords as a hash for a subset of users in that unit, the policies are not enforced for that subset of users. For details, see the G Suite Admin SDK and About G Suite Password Sync.
  • Password policies don't apply to any user passwords that you reset manually. If you manually reset a password, make sure to select Start password policy enforcement at next sign in for that user.
  • The password policies you configure don't apply to users who are authenticated on a third-party identity provider (IdP) using SAML.

Set password requirements

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security and then Password management.

    To see Security on the dashboard, you might have to click More controls at the bottom.

  3. On the left, select the organizational unit where you want to set the password policies.

    For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization. 

  4. In the Password strength section, check the Enforce strong password box.

    A number of algorithms and rules determine whether a password is strong, including a review of common or previously used passwords. 

  5. In the Password length section, enter a minimum and maximum length for your users' passwords. It can be between 8 and 100 characters.

  6. (Optional) To force users to change their password, check the Start password policy enforcement at next sign in box.

    If you don’t check this option, users with weak passwords can access your organization’s Google services until they decide to change their password.

  7. (Optional) To allow users to reuse an old password, check the Allow password reuse box.

    You cannot set the password history that Google reviews to prevent reuse.

  8. In the Password expiration section, select the period of time after which passwords expire.
  9. Click Override to keep the setting the same, even if the parent setting changes.
  10. If the organizational unit's status is already Overridden, choose an option:
    • Inherit—Reverts to the same setting as its parent.
    • Save—Saves your new setting (even if the parent setting changes).
  11. Give your users tips for creating a strong password.

Monitor your users’ password strength

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenPassword monitoring.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Review each user’s password length and strength. Red numbers and yellow, incomplete bars indicate weak passwords. Contact these users and ask them to update their password.

    You’ll see zero (0) and a gray bar if a hashed password is set through the Admin SDK.

Was this article helpful?
How can we improve it?