Configure Password Policies in Google Workspace

Stolen credentials are the leading cause of breaches in cloud environments. Not phishing infrastructure. Not nation-state exploits. Weak or reused passwords that an attacker guesses, purchases on a dark web marketplace, or simply brute-forces against a login page. According to the Australian Signals Directorate's Annual Cyber Threat Report, compromised credentials remain the most common initial access vector across business email compromise and ransomware incidents affecting Australian SMBs.

Google Workspace gives administrators meaningful control over password quality before it becomes a problem. Most organisations never configure these settings beyond the defaults — which means they are accepting more risk than necessary without realising it. A 30-minute session in the Admin Console can close the gaps that generic defaults leave open.

This guide walks through every password policy control available in Google Workspace, with exact navigation paths, practical recommendations calibrated to Australian business requirements, and guidance on applying different policies to different groups without creating an operational nightmare.

What this guide covers:
- Why password policies matter and what Google Workspace controls out of the box
- Minimum length and complexity settings, and what the research actually says
- Password expiration policies: when to use them and when not to
- Applying different policies to organisational units
- Best practices for rolling out policy changes without disrupting your team
- How these settings align with the Essential Eight and the Privacy Act 1988

Why Password Policies Matter in Google Workspace

A Google Workspace account is not just an email address. It is the keys to your organisation's email, documents, calendar, video calls, shared drives, and potentially your accounting software, CRM, and every other tool connected via OAuth. A single compromised account gives an attacker the ability to read sensitive communications, exfiltrate files, impersonate your staff to clients, and move laterally to connected services.

The default Google Workspace configuration does not enforce a minimum password length beyond the eight-character baseline baked into the Google Account system. It does not require any particular character complexity. It does not expire passwords. These defaults are permissive by design — Google prioritises user experience over security for consumer accounts — and they carry over into business Workspace environments unless an administrator explicitly changes them.

For Australian SMBs, the stakes are concrete. Under the Privacy Act 1988 and the Notifiable Data Breaches scheme, your organisation may be legally required to report data breaches that are likely to cause serious harm to individuals whose personal information was involved. If that breach traces back to a weak password on a Workspace account, "we had the admin controls available but did not configure them" is not a defensible position.

Password policy configuration is not a substitute for 2-Step Verification (2SV), and it should not be treated as one. The most effective security posture combines strong password requirements with enforced MFA. But password policies address the baseline that every account in your domain should meet, regardless of their MFA status.

Accessing Password Management Settings in the Admin Console

All password policy controls in Google Workspace live in a single location:

1. Sign in to the Google Admin console at admin.google.com with a Super Admin or Security Admin account.
2. Navigate to Security > Authentication > Password management.

This page controls the password requirements for all user accounts across your organisation, with options to customise at the organisational unit level. The settings you configure here apply to users signing in with their Google Workspace credentials, and they are enforced at the point of password creation or change — not retroactively for existing passwords.

That last point is important: when you change a minimum length setting from 8 to 12 characters, existing passwords that are shorter than 12 characters remain valid until the user next changes their password. To force compliance across your entire user base, you will need to either wait for natural password rotation or manually reset passwords for users who do not meet the new standard.

Minimum Password Length

The single most impactful password policy setting is minimum length. Length is the primary driver of password entropy — the longer a password, the harder it is to crack through brute force or dictionary attacks, regardless of which specific characters it uses.

Recommended Settings

Navigate to Security > Authentication > Password management. Under the Strength section, you will see the Minimum length slider.

• Google's default: 8 characters
• Recommended minimum for standard users: 12 characters
• Recommended minimum for admin accounts: 16 characters or a passphrase of at least 4 words

The Australian Signals Directorate's Essential Eight Maturity Level 1 requires a minimum of 13 characters for privileged users when 2SV is not enforced. For organisations with MFA enforced for all users, the ASD accepts shorter minimums, but 12 characters remains a practical baseline that protects against most offline cracking attacks.

How to Configure It

1. Navigate to Security > Authentication > Password management.
2. Under Strength, find the Minimum length setting.
3. Use the input field to set your desired minimum. You can enter values between 8 and 100.
4. Set the value to 12 for your top-level organisational unit.
5. Click Save.

The maximum password length Google Workspace enforces is 100 characters. There is no practical reason to set a maximum below that — long passphrases are among the most secure options available to users, and artificially limiting length provides no security benefit while discouraging good user behaviour.

Password Complexity and Strength Enforcement

Beyond length, Google Workspace provides two complexity-related controls: strength enforcement and a reuse policy.

Enable Password Strength Enforcement

The Enforce strong password toggle activates Google's built-in password strength checker. When enabled, Google will reject passwords that are considered weak even if they technically meet the minimum length requirement. This blocks common patterns like "Password12!" or "Summer2024" that are long enough to pass a length check but are trivially predictable.

To enable it:

1. Navigate to Security > Authentication > Password management.
2. Under Strength, enable the Enforce strong password toggle.
3. Click Save.

This is a low-friction setting that provides genuine value. Enable it at the top-level OU for all users.

The Complexity Debate

Google Workspace does not provide the granular "must contain uppercase, lowercase, number, and symbol" controls that many legacy systems offer. This is intentional and, from a security research standpoint, well-reasoned.

The National Institute of Standards and Technology (NIST) updated its digital identity guidelines in 2024 to explicitly recommend against mandatory complexity rules and periodic password rotation, citing evidence that these requirements push users toward predictable patterns: "Password1!", "Summer2024", "CompanyName1!" — passwords that technically satisfy complexity requirements while being highly guessable.

What NIST, the ASD, and the UK NCSC now recommend instead:

• Focus on length over complexity
• Check passwords against lists of known compromised passwords
• Avoid periodic rotation unless there is evidence of compromise
• Prioritise MFA over password complexity

Google's approach to "strong password" enforcement aligns with this thinking. It uses pattern detection and known-weak-password lists rather than arbitrary character class requirements.

Password Reuse

Google Workspace does not currently offer an admin-configurable setting to prevent password reuse across a specified number of previous passwords at the domain level (this is controlled at the individual Google Account level). For organisations that need explicit reuse controls, this gap reinforces the case for enforcing 2-Step Verification as the primary defence, since preventing reuse without MFA still leaves accounts vulnerable to credential stuffing attacks using passwords from unrelated breaches.

Password Expiration Policies

Password expiration — the practice of forcing users to change their password every 60, 90, or 180 days — has been a standard enterprise IT control for decades. The research consensus has shifted significantly on this point in recent years.

What the Evidence Shows

Mandatory rotation was introduced when password cracking was slow and passwords were often stored insecurely. In that context, rotating credentials limited the window of exposure. Today, the calculus is different:

• When users are forced to change passwords frequently, they make minimal changes ("Password1!" becomes "Password2!") or follow predictable seasonal patterns ("Summer2024" becomes "Winter2024").
• Modern credential theft happens at scale through phishing and data breaches, not through patient brute force. Once a credential is stolen, it is used immediately, making rotation ineffective against the primary threat.
• NIST SP 800-63B explicitly states that "verifiers SHOULD NOT require memorised secrets to be changed arbitrarily" and recommends rotation only when there is evidence of compromise.

Google Workspace Expiration Settings

Navigate to Security > Authentication > Password management. Under the Expiry section, you have the following options:

• Never expire (recommended for most organisations with enforced 2SV)
• Expires after: Set a number of days between 1 and 730

If you have enforced 2-Step Verification across your organisation, the ASD and current NIST guidance support a "never expire" policy for standard users. The MFA second factor provides ongoing protection even if a credential is eventually compromised in a breach.

If you have not yet enforced MFA across your organisation, a 180-day expiration with no reuse restriction is a reasonable intermediate position. However, getting 2SV enforced should be the priority, not fine-tuning expiration timers.

Recommended Configuration

For organisations with MFA enforced: Set expiration to Never expire for standard users. Reserve forced rotation for specific scenarios:
- When a user reports a suspected compromise
- When an admin account credential is suspected of exposure
- As part of offboarding a departing employee

For organisations without MFA fully enforced: Set expiration to 180 days as a temporary measure while working toward full MFA rollout.

To configure:
1. Navigate to Security > Authentication > Password management.
2. Under Expiry, select your preferred option.
3. Click Save.

Applying Password Policies at the OU Level

One of the most practical capabilities in Google Workspace password management is the ability to apply different policies to different organisational units. This lets you set stricter requirements for privileged users, contractors, or specific departments without imposing those requirements on your entire organisation.

When OU-Level Policies Are Useful

• Admin accounts: Require a minimum of 16 characters and enable strength enforcement. Admin accounts control your entire Workspace environment; they warrant stricter requirements.
• Finance or HR teams: Users who handle sensitive data (Tax File Numbers, payroll, personal information) can be held to higher standards.
• Contractors and vendors: Organisations that provision Workspace accounts for contractors may want stricter expiration policies for these accounts to ensure credentials do not persist indefinitely after a contract ends.
• Students or external users (education environments): May warrant different complexity requirements based on age and technical sophistication.

How to Apply OU-Level Password Policies

1. Navigate to Security > Authentication > Password management.
2. At the top of the page, you will see the organisational unit selector in the left panel. By default, you are viewing the top-level OU (your entire organisation).
3. Click on the child OU you want to configure (for example, "IT Team" or "Finance").
4. Modify the password settings for that OU. You will be prompted to either Override the parent OU's settings or Inherit them.
5. Select Override to apply different settings to this specific OU.
6. Configure the desired minimum length, strength enforcement, and expiration settings.
7. Click Save.

Changes at the child OU level do not affect the parent OU or other child OUs. You can layer these configurations as deeply as your OU structure goes.

Practical Example for an Australian SMB

This configuration enforces a consistent baseline across the organisation while applying additional rigour for administrator accounts and time-boxing credentials for non-permanent staff.

Rolling Out Policy Changes Without Disruption

Changing password policies mid-stream can create confusion if not communicated properly. The key consideration is that Google Workspace does not retroactively invalidate existing passwords when you tighten requirements. The new policy applies when a user next sets or changes their password.

Approach for Minimum Length Changes

If you are moving from 8 to 12 characters, you have two options:

Option A: Wait for natural rotation. Users will be prompted to set a compliant password the next time they change their password. If you have expiration enabled, all users will eventually comply. If expiration is set to "Never," users will only be prompted if they voluntarily change their password or if you manually reset their credentials.

Option B: Force a password reset. In the Admin Console, navigate to Directory > Users, select the users whose passwords you want to reset, and use the Reset password action. You can send users a link to set a new password or set a temporary password that requires change on next login. For a business of 50 to 100 users, this is operationally manageable. For larger organisations, consider a phased approach by OU.

Communication Template

Before forcing a reset, send a clear communication to affected users:

"We are updating our password requirements to improve security. When you next log into your Google Workspace account [or: from [DATE]], you will be prompted to set a new password. Your new password must be at least 12 characters long. This is to protect your account and our business data. If you have any questions, contact [IT team/email]."

Provide a brief guide on how to create a strong, memorable password. Passphrases — four or more random words strung together — satisfy the length requirement while being genuinely memorable: "Correct-Battery-Staple-Blue" is 26 characters and infinitely more practical than "P@ssw0rd12!".

Monitor for Failed Logins

After a policy rollout, monitor the Reports > Audit and investigation > Login audit log for an increase in failed login events. These can indicate users who are struggling with the new requirements and need support, or — in rarer cases — brute force attempts against accounts where the attacker's guesses are now being rejected by the stronger policy.

Best Practices Summary

These recommendations consolidate the guidance above into an actionable reference.

Do:
- Set minimum password length to 12 characters for all users, 16 for admins
- Enable the Enforce strong password setting at the top-level OU
- Combine password policies with enforced 2-Step Verification — the two controls are complementary, not interchangeable
- Apply stricter OU-level policies to admin accounts, finance, and HR teams
- Use "never expire" for organisations with MFA enforced, aligned with ASD and NIST guidance
- Communicate policy changes clearly and in advance before forcing resets
- Encourage passphrases rather than complex character substitutions

Do not:
- Rely on password policy alone as your primary authentication control
- Set expiration to 60 or 90 days without MFA — this creates churn without security benefit and is now considered poor practice by NIST, ASD, and NCSC
- Apply your tightest policy at the top-level OU if it will immediately break workflows for a large user base — pilot it with a small group first
- Forget that new policies apply on next password change, not immediately — plan accordingly if you need universal compliance by a specific date

Australian Compliance Alignment

For IT managers who need to demonstrate compliance to auditors, insurers, or leadership, here is how these password policy controls map to Australian frameworks.

This is not legal advice, and you should consult your compliance adviser for obligations specific to your industry and business structure. However, documenting your password policy configuration — the settings you have chosen, the rationale, and the review date — gives you an audit trail that demonstrates you have taken the "reasonable steps" required under the Privacy Act.

Affiliate & Partner Programs

If you are reviewing your Google Workspace security configuration and considering a plan upgrade for access to advanced security features, the following referral link may be helpful:

• Google Workspace Referral Program: https://referworkspace.app.goo.gl/ — Business Starter, Standard, and Plus plans all include the password management controls covered in this guide. Higher-tier plans add features like Advanced Protection Program, enhanced audit capabilities, and Context-Aware Access that complement your password policy configuration.

Wrapping Up

Password policies in Google Workspace are not a silver bullet, but they are a baseline control that every administrator should configure deliberately rather than leaving at defaults. The default Workspace configuration accepts 8-character passwords with no complexity enforcement and no expiration — a posture that would not pass scrutiny in any security audit.

The changes recommended in this guide are straightforward:

• Set minimum password length to 12 characters (16 for admin accounts)
• Enable the Enforce strong password toggle
• Adopt "never expire" if you have MFA enforced, or 180 days as an interim if you do not
• Apply OU-level overrides for privileged accounts and contractors

None of these changes take more than 30 minutes to implement. Communicating and rolling them out thoughtfully takes a bit more planning, but the operational lift is low relative to the security benefit.

The harder work, if you have not already done it, is enforcing 2-Step Verification. Password strength and MFA are not interchangeable — they address different attack vectors. Password quality limits the value of stolen or guessed credentials. MFA prevents those credentials from being used even when they are compromised. Together, they close the two most common initial access paths that attackers use against cloud environments.

Configure both, document your choices, and review your settings when Google releases new security features or when your threat model changes. That is what a proactive security posture looks like for an Australian SMB.

Need help with your cloud migration? Contact our team for a free consultation.