# Password Policies Password policies define the rules users must follow when creating or changing their passwords. ## Configuring Password Policies 1. Go to **Security > Password Policies**. 2. Adjust the settings below. 3. Click **Save**. ## Policy Settings ### Complexity Requirements | Setting | Description | Default | | ------------------------- | ----------------------------------- | ------- | | Minimum length | Minimum number of characters | 8 | | Maximum length | Maximum number of characters | 128 | | Require uppercase | At least one uppercase letter (A-Z) | Yes | | Require lowercase | At least one lowercase letter (a-z) | Yes | | Require number | At least one digit (0-9) | Yes | | Require special character | At least one symbol (e.g., !@#$%) | No | ### Password History | Setting | Description | Default | | --------------------------- | ---------------------------------------------- | ------- | | Remember previous passwords | Number of past passwords that cannot be reused | 5 | ### Password Expiration | Setting | Description | Default | | ---------------------- | ---------------------------------------------- | ------- | | Password expires after | Days until the user must change their password | Never | | Warn before expiration | Days before expiry to show a warning | 7 | ### Account Lockout | Setting | Description | Default | | ------------------- | ------------------------------------------------------- | ------- | | Max failed attempts | Number of failed login attempts before lockout | 5 | | Lockout duration | Minutes the account stays locked | 15 | | Reset counter after | Minutes of no failed attempts before the counter resets | 15 | ## When Policies Apply * **New passwords**: Users must meet the current policy when setting a new password. * **Existing passwords**: Users with passwords that do not meet an updated policy are prompted to change their password at next login. * **Password expiration**: Users are redirected to the password change screen when their password expires. ## Best Practices * Set a minimum length of at least 12 characters. Longer passwords are more secure than complex short ones. * Enable password history to prevent users from cycling through the same passwords. * Use account lockout to slow down brute-force attacks, but keep the lockout duration reasonable to avoid excessive support requests. * Consider whether password expiration is necessary for your organization. Frequent forced changes can lead to weaker passwords. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://accessiq.gitbook.io/accessiq-docs/security/password-policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.