Property Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements:

• The password is at least six characters long.
• The password contains characters from at least three of the following four categories:
  English uppercase characters (A - Z)
  English lowercase characters (a - z)
  Base 10 digits (0 - 9)
  Any non-alphanumeric character (for example: !, $, #, or %)
• The password does not contain three or more characters from the user's account name.

If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected is too high. When checking against the user's full name, all non-letter characters are treated as delimiters that separate the name into individual tokens. For each token that is three or more characters long, that token is searched for in the password; if it is present, the password change is rejected. For example, the name "Erin M. Hagens" would be split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it would be ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case-insensitive.

These complexity requirements are enforced upon password change or creation of new passwords. It is recommended that you enable this setting.

All users must change their password every 30 days.
Lockout occurs after 5 bad login attempts.
Password history does not allow a user to reuse any of his last 10 passwords.