This article contains information on configuring password complexity and expiration settings in Mimecast to enhance security, including rules for password composition, expiration options, and account lockout settings.
Mimecast provides options for Administrators to enforce user account password complexity and expiration settings. This feature enhances Mimecast cloud account security by reducing the risk of a security breach through end users setting weak passwords and brute force attacks. Mimecast enforces strict password validation rules behind the scenes, so Administrators should ensure that any guidance they provide to users reflects these higher security standards.
Considerations
- Using non-ASCII characters in passwords is not recommended, as they may prevent user authentication or cause decryption problems in some workflows.
- Password policy settings are configured globally for your Mimecast account and apply to all Mimecast cloud passwords.
- Settings applied to Mimecast local user accounts only affect cloud passwords, not directory account passwords, except for account lockouts.
Once password complexity and expiration settings have been configured, they apply to all scenarios when the Mimecast cloud password is set or changed.
For example:
- When an end-user sets or changes their cloud password in Mimecast Personal Portal.
- When an Administrator sets or changes a cloud password for a user account in the Mimecast Administration Console, including when resetting a password to unlock a locked account.
- When an Administrator sets or changes cloud passwords for several users via a spreadsheet import. It is possible to exclude individual user accounts from password expiration (described below).
- When setting or updating passwords used by applications or services (such as SMTP relay accounts), which must also comply with the configured password complexity rules.
Configuring Password Complexity and Expiration Settings
Existing passwords are not affected if you change your password complexity and expiration settings until they are next changed or reach their expiration date and must be reset. When a password is changed after a policy update, it must meet the current minimum length and complexity rules.
You can configure your password complexity and expiration settings by using the following steps:
- Access your Account Settings. See the Your Mimecast Account Settings page for full details.
- Expand the Password Complexity and Expiration section.
- Complete the Password Complexity section as required. At least three of the following four rules must be enabled. By default, the new password must be sufficiently different from the previous password to be accepted.
- Minimum Password Length: Set the minimum length for a password from 8 to 30 characters.
- Include at Least One Lowercase Alphabetical Character (a-z): Specifies that at least one lowercase alphabetical character must be included in the password.
- Include at Least One Uppercase Alphabetical Character (A-Z): Specifies that at least one uppercase alphabetical character must be included in the password.
- Include at Least One Numerical Character (0-9): Specifies that at least one numerical character must be included in the password.
-
Include at Least One Non-Alphanumeric (!*&@): Specifies that at least one non-alphanumeric character must be included in the password.
Field / Option Description Password Expiration Specify whether the cloud password expires. This can be set to "Never," "5", "30", "45", "60", "75," or "90 " days. When the password expires, the user cannot log on until their cloud password has been changed. Use System Default Mimecast enforces a minimum default system setting that applies to account lockouts after five unsuccessful login attempts within 15 minutes. When using this option, you cannot disable account lockouts; you can only specify your own values in the "Account Lockout Threshold" and "Account Lockout Duration" fields. Account Lockout Threshold Specifies the number of consecutive unsuccessful login attempts before the account is locked out. The Administrator can choose between three and ten attempts. Account Lockout Duration A locked account can be unlocked either manually by an Administrator or after a given period of time.
- Manual Setup: The Administrator must unlock each account manually.
- Automatic: The options are 5, 10, 15, 20, 25, 30, and 35 minutes. A locked account automatically unlocks after this time.
- Selecting a low value could permit successful brute-force attacks on accounts with weak passwords.
- Click on Save.
Forbidden Words / Password Validation
In addition to the complexity settings, cloud passwords are validated to ensure that they don't contain the forbidden words "mimecast" or "password". Using either of these words generates an error. Below are some example variations of passwords that cannot be used:
- 01MimeCast!
- £MIMeCaST34
- 55pAssWoRD
- PaSSwOrd$1
Individual Account Options
Password policy settings are configured globally for your Mimecast account. Password complexity and lockout options apply to all Mimecast cloud passwords, and individual accounts cannot be excluded from these settings.
An Administrator cannot manually lock a user's account.
Excluding Accounts from Password Expiration Settings
Administrators can exclude individual accounts from password expiration settings. This can be useful to prevent the expiration of cloud passwords for Administrator, system, or SMTP relay accounts that are used by applications and services. When using non-expiring passwords, always ensure that you use long, strong, unique passwords and review access regularly.
To ensure the cloud password for an account never expires:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Internal Directories menu item.
- Click on your Domain.
- Click on the required Email Address.
- Select the Password Never Expires option in the Permissions section.
- Click on Save and Exit.
Unlocking an Account
You can unlock a locked user account by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Internal Directories menu item.
- Click on your Domain.
- Search for and click on the required Email Address.
- In the Permissions section, either:
- Click on the Unlock Account button next to the "Account Locked" option (if available), or
- Update the user's cloud password and then Save and Exit to both unlock the account and set a new password.
- Click on Save and Exit.
Comments
Please sign in to leave a comment.