Password Settings That Can Be Modified
Password settings can be modified by an administrator at Setup > Company > General Preferences. See the following topics for more information:
Password Policy
Built-in password policies support three levels of password validation for NetSuite users. These policies enforce the following requirements for password length and content:
-
Strong – minimum length of 10 characters, at least three of these four character types —uppercase letters, lowercase letters, numbers, non-alphanumeric ASCII characters
-
Medium – minimum length of eight characters, at least two of these four character types —uppercase letters, lowercase letters, numbers, non-alphanumeric ASCII characters
-
Weak (Not Recommended) – minimum length of six characters
Note the following details about password policies:
-
The selected password policy determines the minimum acceptable value for the Minimum Password Length field. The policy does not affect the Password Expiration in Days field value.
-
All NetSuite accounts are set to a Strong policy by default.
For information about password expiration, see Password Expiration in Days Field.
-
It is possible to reset the password policy to Medium or Weak, but changing password policy to less strict weakens the security of the account.
Warning:If any users in your account have the View Unencrypted Credit Cards permission or the View Unencrypted ACH Account Numbers permission, PCI password requirements take precedence. See PCI Compliance Password Requirements for more information.
-
If a user has access to multiple NetSuite accounts that have different password policies, the strongest policy is enforced for that user. A user is defined as an email and password pairing.
-
The password policy is not applied to users logging in to NetSuite with a customer center role and to customers who register on your website. See Customer Roles and Passwords for more information.
Minimum Password Length Field
The Minimum Password Length is the minimum number of characters required for user passwords. Be aware of the following details:
-
The default value for this field is determined by the selected password policy. Because the default password policy is Strong, the default Minimum Password Length is 10 characters.
-
You can make the minimum password length value longer than the minimum required by the policy. You cannot make this value shorter.
-
Minimum password length for customer center roles is eight characters. See Customer Roles and Passwords for more information.
Password Expiration in Days Field
The Password Expiration in Days is the number of days a password is valid before a user is prompted to change it. If you change this value, you can prompt your employees to change their passwords on the next login. You can check the Require Password Change on Next Login box on employee records. You can also use CSV import to update this option on more employee records at the same time.
-
Days are calculated from the date that each user last changed their password, not from the date that the company preference is changed.
Note:As of December 2015, valid values are 1-365. Values entered before that date are not affected by this limit. However, if any data on the General Preferences page is changed, only valid values within this range will be accepted for the Password Expiration in Days field. For accounts provisioned after this date, the value for the field is set to 180 days by default.
-
To comply with Payment Card Industry (PCI) standards, employees with access to view unencrypted credit card numbers or unencrypted ACH account numbers are automatically required to change their passwords every 90 days, unless the limit set here is shorter. See PCI Compliance Password Requirements for more information.
-
Dates of the previous password change and current password expiration are displayed in the user’s My login audit portlet.
For information about Customer Center roles, see Customer Roles and Passwords.