Password Settings That Can Be Modified

For password settings that administrators can modify, go to: Setup > Company > General Preferences. See the following topics for more information:

• Password Policy

• Minimum Password Length Field

• Password Expiration in Days Field

Password Policy

Built-in password policies support three levels of password validation for NetSuite users. These policies enforce the following requirements for password length and content:

• Strong – minimum length of 10 characters, at least three of these four character types —uppercase letters, lowercase letters, numbers, non-alphanumeric ASCII characters

• Medium – minimum length of eight characters, at least two of these four character types —uppercase letters, lowercase letters, numbers, non-alphanumeric ASCII characters

• Weak (Not Recommended) – minimum length of six characters

Note the following details about password policies:

• The selected password policy determines the minimum acceptable value for the Minimum Password Length field. The policy doesn't affect the Password Expiration in Days field value.

• All NetSuite accounts are set to the Strong policy by default.

  For information about password expiration, see Password Expiration in Days Field.

• It's possible to reset the password policy to Medium or Weak, but changing password policy to less strict weakens the security of the account.

  Warning:

  If any users in your account have the View Unencrypted Credit Cards permission or the View Unencrypted ACH Account Numbers permission, PCI password requirements take precedence. See PCI Compliance Password Requirements for more information.

• If a user has access to multiple NetSuite accounts that have different password policies, the strongest policy is enforced for that user. A user is defined as an email and password pairing.

• The password policy isn't applied to users logging in to NetSuite with a customer center role and to customers who register on your website. See Customer Roles and Passwords for more information.

Minimum Password Length Field

The Minimum Password Length is the minimum number of characters required for user passwords. Be aware of the following details:

• The default value for this field is determined by the selected password policy. Because the default password policy is Strong, the default Minimum Password Length is 10 characters.

• You can make the minimum password length value longer than the minimum required by the policy. You can't make this value shorter.

• Minimum password length for customer center roles is eight characters. See Customer Roles and Passwords for more information.

Password Expiration in Days Field

The Password Expiration in Days is the number of days a password is valid before a user is prompted to change it. If you change this value, you can prompt your employees to change their passwords on the next login. You can check the Require Password Change on Next Login box on employee records. You can also use CSV import to update this option on more employee records at the same time.

• Days are calculated from the date that each user last changed their password, not from the date that the company preference is changed.

  Note:

  Valid values for the Password Expiration in Days field are 1-365. The default value for the field is 180 days.

• To comply with Payment Card Industry (PCI) standards, employees with access to view unencrypted credit card numbers or unencrypted ACH account numbers are automatically required to change their passwords every 90 days, unless the limit set here is shorter. See PCI Compliance Password Requirements for more information.

• Dates of the previous password change and current password expiration are displayed in the user’s My login audit portlet.

For information about Customer Center roles, see Customer Roles and Passwords.

General Notices