This article contains information on configuring password complexity and expiration settings in Mimecast to enhance security, including rules for password composition, expiration options, and account lockout settings.
Mimecast provides options for administrators to enforce user account password complexity and expiration settings. This feature enhances Mimecast cloud account security by reducing the risk of a security breach through end users setting weak passwords and brute force attacks.
Considerations
- Using non-ASCII characters in passwords is not recommended; they may prevent user authentication.
- Password policy settings are configured globally for your Mimecast account.
- Settings applied to Mimecast local user accounts only affect cloud passwords, not directory account passwords, except for account lockouts.
Once password complexity and expiration settings have been configured, they apply to all scenarios when the Mimecast cloud password is set or changed.
For example:
- When an end-user sets or changes their cloud password in Mimecast Personal Portal.
- When an administrator sets or changes a cloud password for a user account in the Mimecast Administration Console.
- When an administrator sets or changes cloud passwords for several users via a spreadsheet import. It is possible to exclude individual user accounts from password expiration (described below).
Configuring Password Complexity and Expiration Settings
Existing passwords are not affected if you change your password complexity and expiration settings with the minimum length and specified rules when they expire.
To configure your password complexity and expiration settings:
- Access your Account Settings. See the Your Mimecast Account Settings page for full details.
- Expand the Password Complexity and Expiration section.
- Complete the Password Complexity section as required. At least three of the following four rules must be enabled. By default, the new password must be sufficiently different from the previous password to be accepted.
- Minimum Password Length: Set the minimum length for a password from 8 to 30 characters.
- Include at Least One Lowercase Alphabetical Character (a-z): Specifies that at least one lowercase alphabetical character must be included in the password.
- Include at Least One Uppercase Alphabetical Character (A-Z): Specifies that at least one uppercase alphabetical character must be included in the password.
- Include at Least One Numerical Character (0-9): Specifies that at least one numerical character must be included in the password.
- Include at Least One Non-Alphanumeric (!*&@): Specifies that at least one non-alphanumeric character must be included in the password.
-
Setting Description Password Expiration Specify whether the cloud password expires. This can be set to "Never," "5", "30", "45", "60", "75," or "90 " days. When the password expires, the user cannot log on until their cloud password has been changed. Use System Default Mimecast enforces a minimum default system setting that applies to account lockouts after five unsuccessful login attempts within 15 minutes. When using this option, you cannot disable this; only specify your own values in the "Account Lockout Threshold" and "Account Lockout Duration" fields. Account Lockout Threshold Specifies the number of consecutive unsuccessful login attempts before the account is locked out. The Administrator can choose between three and ten attempts. Account Lockout Duration A locked account can be unlocked either manually by an administrator or after a given period of time. - Manual Setup: The Administrator must unlock each account manually.
- Automatic: The options are 5, 10, 15, 20, 25, 30, and 35 minutes. A locked account automatically unlocks after this time.
- Selecting a low value could permit successful brute-force attacks on accounts with weak passwords.
- Click the Save button.
Forbidden Words / Password Validation
In addition to the complexity settings, cloud passwords are validated to ensure that they don't contain the forbidden words "mimecast" or "password". Using either of these words generates an error. Below are some example variations of passwords that cannot be used:
-
- 01MimeCast!
- £MIMeCaST34
- 55pAssWoRD
- PaSSwOrd$1
Individual Account Options
Password policy settings are configured globally for your Mimecast account. Password complexity and lockout options apply to all Mimecast Cloud passwords, and individual accounts cannot be excluded from these settings.
An administrator cannot manually lock a user's account.
Excluding Accounts from Password Expiration Settings
Administrators can exclude individual accounts from password expiration settings. This can be useful to prevent the expiration of cloud passwords for administrator or system accounts.
To ensure the cloud password for an account never expires:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Internal Directories menu item.
- Click on your Domain.
- Click on the required Email Address.
- Select the Password Never Expires option in the Permissions section.
- Click on the Save and Exit button.
Unlocking an Account
To unlock a locked user account:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Internal Directories menu item.
- Click on your Domain.
- Click on the required Email Address.
- Click on the Unlock Account button next to the "Account Locked" option in the Permissions section.
- Click on the Save and Exit button
Comments
Please sign in to leave a comment.