Along with encrypting emails and using digital signatures, one of the most effective and low-cost ways to protect email from hacking is a competent password security policy. Passwords written on pieces of paper, stored in public files, or simply insufficiently complex, are always a big breach in the information security of an enterprise and can lead to serious incidents with tangible consequences for the business. This is why any enterprise must have a strong password security policy.

Policy

It is clear, on the other hand, that a password policy will be effective not only when it is written, but from the moment it is strictly adhered to by all, or at least key employees of the organization. This step, however, is more difficult to achieve than it sounds. Employees who are already overworked, constantly forget about the need to change the password, or follow the path of least resistance, each time making the password easier and easier, thus negating the entire effect. That’s why various technical methods are increasingly being used to overcome this problem.

How it works in Zimbra?

In order to enforce the password policy in Zimbra, no third-party applications are required. This can be achieved using built-in tools, but first you need to understand how password management works in Zimbra. 

 Setting up your password

 At the time of creating a new account, the administrator assigns it a temporary password. After that, the user will be able to independently log into the account and change the password. All passwords are stored encrypted on the server with Zimbra and are therefore not available even to the server administrator. That is why, if the user forgets the password, he will have to create a new one. 

Password Policy Settings

The password policy settings can be found in the settings for COS (letting you configure a specific policy at COS level) or individual users. 

To edit Password Policy settings for COS, you need to go to configure → Class of Service. Select the desired one and right click on it, then on “edit”

Then you have to select “advanced” and scroll down to Password tab.

To edit Password Policy settings for individual user, you need to go to manage → Accounts. Select the desired one and right click on it, then on “edit”

After doing that, select “advanced” and scroll down to Password tab

From this panel, for both COS and single user, you can customize:

• Password length – allows you to set the minimum and maximum password length. By default, the minimum password length is 6 characters and the maximum is 64.
• Password aging – allows you to set the time after which the password becomes invalid. Users do not have to wait for the password to expire, they can replace it before it expires.
• Minimum upper case characters – allows you to set the minimum number of uppercase letters used in the password
• Minimum lower case characters – allows you to set the minimum number of lowercase letters used in the password
• Minimum numeric characters – allows you to set the minimum number of digits from 0 to 9 used in the password
• Minimum punctuation symbols – allows you to set the minimum number of punctuation marks and special characters used in the password
• Enforce password history – allows you to set the number of passwords to remember so that the user does not periodically use duplicate passwords
• Password locked – this option allows you to prevent the user from changing the password
• Enable failed log in lockout – this option allows you to configure the system’s reaction to entering an incorrect password