Configuring Password Complexity and Expiration

Document created by user.oxriBaJeN4 Employee on Sep 16, 2015Last modified by user.oxriBaJeN4 Employee on Aug 22, 2016
Version 5Show Document
  • View in full screen mode

Mimecast provides options for administrators to enforce user account password complexity and expiration settings. This feature enhances Mimecast cloud account security by reducing the risk of a security breach through end users setting weak passwords and brute force attacks. These settings include defining the password length and complexity (i.e. enforcing numeric, non-alphanumeric characters and uppercase letters), the expiration period, and the account lockout policy.

The use of non-ASCII characters in passwords is not recommended, as they may prevent user authentication.

Password policy settings are configured globally for your Mimecast account. These settings are applied to Mimecast local user accounts, and therefore only affect cloud passwords, not Directory account passwords with the exception of account lockout.

 

Once password complexity and expiration settings have been configured, they apply to all scenarios when the Mimecast cloud password is set or changed. For example:

  • End-user sets or changes their cloud password in Mimecast Personal Portal.
  • Administrator sets or changes a cloud password for a user account in the Administration Console.
  • Administrator sets or changes cloud passwords for several users via a spreadsheet import.

It is possible to exclude individual user accounts from password expiration (described below).

Configuring Password Complexity and Expiration Settings

 

If you change your password complexity and expiration settings, existing passwords are not affected. However when they expire, the new password must comply with the minimum length and specified rules.

 

To configure your password complexity and expiration settings:

  1. Access your Your Mimecast Account Settings
  2. Expand the Password Complexity and Expiration section.
  3. Complete the Password Complexity section as required.
    At least three of the following four rules must be enabled.
    SettingDescription
    Minimum Password Length

    Set the minimum length for a password from a range of 8 to 30.

    Include at Least One Lowercase Alphabetical Character (a-z)Specifies that at least one lowercase alphabetical character must be included in the password.
    Include at Least One Uppercase Alphabetical Character (A-Z)

    Specifies that at least one uppercase alphabetical character must be included in the password.

    Include at Least One Numerical Character (0-9)Specifies that at least one numerical character must be included in the password.
    Include at Least One Non-Alphanumeric (!*&@)Specifies that at least one non-alphanumeric character must be included in the password.
  4. SettingDescription
    Password ExpirationSpecify whether the cloud password expires or not. This can be set to "Never", "5", "30", "45", "60", "75,", or "90 "days. When the password expires, the user cannot log on until their cloud password has been changed.
    Use System Default

    Mimecast enforces a minimum default system setting that applies to account lockout. When using this option, the account is locked after five consecutive unsuccessful log on attempts for 15 minutes. You cannot disable this setting, only specify your own values in the "Account Lockout Threshold" and "Account Lockout Duration" fields.

    Account Lockout ThresholdSpecifies the number of consecutive unsuccessful login attempts before the account is locked out. The Administrator can choose between three and ten attempts.
    Account Lockout Duration

    A locked account can either be unlocked manually by an administrator, or automatically after a given period of time:

    • Manual Setup: The Administrator must unlock each account manually.
    • Automatic: The options are 5, 10, 15, 20, 25, 30, and 35 minutes. A locked account automatically unlocks after this time. 
      Selecting a low value could permit successful brute force attacks on accounts with weak passwords.
  5. Click the Save button.

 

Forbidden Words / Password Validation

 

In addition to the complexity settings, cloud passwords are validated to ensure that they do not contain the forbidden words "mimecast" or "password". Using either of these words generates an error. Below are some example variations of passwords that cannot be used:

  • 01MimeCast!
  • £MIMeCaST34
  • 55pAssWoRD
  • PaSSwOrd$1

 

Individual Account Options

 

Password policy settings are configured globally for your Mimecast account. Password complexity and lockout options apply to all Mimecast Cloud passwords, and individual accounts cannot be excluded from these settings.

An administrator cannot manually lock a user's account.

Excluding Accounts from Password Expiration Settings

 

Administrators can exclude individual accounts from password expiration settings. This can be useful to prevent the expiration of cloud passwords for administrator or system accounts.

 

To ensure the cloud password for an account never expires:

  1. Click on the Directories | Internal Directories menu item. A list of your internal domains is displayed.
  2. Click on your Domain. A list of your domain email addresses is displayed.
  3. Click on the required email address. 
  4. Click the Password Never Expires option in the Permissions section.
  5. Click the Save and Exit button.

 

Unlocking an Account

 

To unlock a locked user account:

  1. Click on the Directories | Internal Directories menu item. A list of your internal domains is displayed.
  2. Click on your Domain. A list of your domain email addresses is displayed.
  3. Click on the required email address. 
  4. Click the Unlock Account button next to the "Account Locked" option in the Permissions section.
  5. Click the Save and Exit button.
3 people found this helpful

Attachments

    Outcomes