Set password strength and user password recovery

You can help protect your users' accounts by managing and monitoring the strength of their passwords. You can set length requirements to prevent users from creating passwords that are too short, and you can monitor the strength of each user's password to identify passwords that meet your length requirement, but aren't secure in other ways. You can allow each user to reset their password without administrator assistance.

Help your users choose strong passwords by sharing our password selection tips.
Set password length requirements
  1. Sign in to the Google Admin console.
  2. From the dashboard, click Security > Basic settings.
  3. In the Password strength section, enter a minimum and maximum length for your users' passwords.

    The Admin console requires passwords to be at least 8 characters. The password length must be between 8 and 100 characters.

  4. Click Save changes.
Monitor each user's password strength

View the length of each user's password with a graph showing its relative strength based on other criteria. The graph's indicators can assess password strength upon user sign-in. The indicators change over time relative to your password length requirements and common passwords known to be vulnerable.

  1. Sign in to the Google Admin console.
  2. From the dashboard, click Security > Password monitoring.
Enable non-admin user password recovery

You can set up the system to allow your non-administrator users to reset their passwords on their own. Your users need to have set up a recovery phone number where they can use either a voice message or a text message to receive their recovery code. They can reset their password by entering the email address they use to sign in to Google. They are then prompted through the process.

Since Google Apps for Education K-12 users can't supply a recovery phone number, this feature is not applicable for them. Google Apps for Education users in college who can supply a recovery phone number can use this feature.

Users with 2-step verification who reset their passwords are prompted to contact their administrator.

If you're running Single Sign-On (SSO), then this feature is not available. You will not see the Enable/disable non-admin user password recovery link. If you're running Google Apps Password Sync for Active Directory (GAPS), then this feature is not applicable. Because GAPS is used to keep Google Apps passwords in sync with Active Directory passwords, GAPS users use Active Directory to reset passwords.

The default setting is off. If you want your users to reset their passwords on their own, change this setting to on.
 

Off-boarding considerations

If you decide to enable this feature to allow your users to recover passwords, you need to pay close attention to your user off-boarding process.

When a user is terminated, an administrator must remove the recovery email address and the recovery phone number for the terminated user so they can't use the password recovery feature.
 

Hijacked account considerations
 

If you suspect that an account with user password recovery enabled is being hijacked, we recommend that you sign in to the account as the user and go to Account settings >Security to verify that the account recovery email address and phone number belongs to the legitimate user. If they don't, remove the recovery email address and the recovery phone number.
  1. Sign in to the Google Admin console.
  2. From the dashboard, click Security > Basic settings.
  3. In the Password management section, under the Password recovery heading, click the Enable/disable non-admin user password recovery link to access the Advanced security settings.
  4. In the Recovery section, under the Password recovery heading, check the Enable non-admin user password recovery box.