As an admin, you can enforce password requirements to protect your users’ managed Google Accounts and meet your organization’s compliance needs. You can also see which of your users’ passwords are weak by monitoring their password strength.
Help keep user accounts secure
- Require a strong password—You can force users with weak passwords to change them. You can also require a certain number of characters for passwords.
- Prevent users from reusing old passwords.
- Explain the importance of strong passwords—To help users create strong passwords, share these password tips.
Before you begin
- Google can't enforce password strength and length requirements on passwords set using a hash method—for example passwords created using the bulk user upload tool, the Directory API, or sync tools such as Password Sync or Google Cloud Directory Sync. For details, visit the Google Workspace Admin SDK or see About Password Sync.
- Password strength and length requirements don't apply to any user passwords that you reset manually. If you manually reset a password, make sure to check the Ask user to change their password when they sign in box for that user.
- The password policies you configure don't apply to users who are authenticated on a third-party identity provider (IdP) using SAML.
If you enforce strong passwords, Google uses a password strength-rating algorithm to ensure that a password:
- Has a high level of randomness, called password entropy, which you can achieve using a long string of characters of different types, such as uppercase letters, lowercase letters, numerals, and special characters
Note: A strong password doesn't need to have a specific number of characters of a specific type.
- Is not a commonly used weak password, like "123456" or "password123"
- Is not easy to guess, such as simple words or phrases, or patterns in which the password is the same as the username
- Is not known to be compromised—that is, it's not in a database of breached accounts
Password expiration is turned off by default because research has shown little positive impact on security. You can set users' passwords to expire after a number of days (such as 90 or 180 days) if required for compliance reasons.
Password expiration is enforced only for browser-based application sign-ins. It's not enforced on users who use only phones or who are logged in using OAuth-authenticated apps.
If you set a password expiration period, users receive pop-up alerts (but not email reminders) in their Google services, such as Gmail and Calendar, 30 days before the password expiration date. Users can change their password or close the alert. If a user doesn't change their password, the alert appears the next time they sign in to their account. The alert stops appearing after the user closes it 3 times. However, after password expiration, the user must change their password at the next sign-in.
When users need to change their password
When you first set up a password expiration policy, some users might be prompted to change their passwords immediately, while others won't need to change their passwords right away. For example:
- If you set up a 90-day expiration policy, and a user last changed their password 100 days ago, that user's password will expire as soon as you set up the policy. They'll be prompted to change their password the next time they attempt to sign in to their account.
- If you set up a 90-day expiration policy, and a user last changed their password 30 days ago, that user's password hasn't expired yet. After 60 days, they'll be prompted to change their password the next time they attempt to sign in.
Set password requirements
In the Admin console, go to Menu SecurityAuthenticationPassword management.
- On the left, select the organizational unit where you want to set the password policies.
For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization.
- In the Strength section, check the Enforce strong password box.
Learn more about strong passwords.
In the Length section, enter a minimum and maximum length for your users' passwords. It can be between 8 and 100 characters.
- (Optional) To force users to change their password, check the Enforce password policy at next sign-in box.
If you don’t check this option, users with weak passwords can access your organization’s Google services until they decide to change their password.
- (Optional) To allow users to reuse an old password, check the Allow password reuse box.
You cannot set the password history that Google reviews to prevent reuse.
- In the Expiration section, select the period of time after which passwords expire.
Note: If a user account has added a delegated user, the delegated user can still access the account, even if the account password has expired. To prevent ongoing access, either reset the account password, or remove the delegated user.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
- Give your users tips for creating a strong password.
Monitor your users’ password strength
In the Admin console, go to Menu ReportingReportsUser ReportsAccounts.
- (Optional) To examine password strength information in graph form, go to ReportsApps ReportsAccounts. Learn more about Account reports.