Password Change Policy
- Passwords must be changed every 60 days.
Multi-Factor Authentication (MFA)
- MFA using the Microsoft Authenticator app is required every 14 days.
- MFA and a password change are required if the security system detects abnormal login behavior.
- MFA is required when logging into your Microsoft account from a new IP address (e.g., using a different computer than usual).
New Password Requirements
- Minimum length: 10 characters.
- Must include:
- Upper- and lower-case letters
- At least one number
- At least one special character from this set:
`! @ # $ % ^ & * ( ) - _ = + \ | ] } [ { ; : / ? . > < , ``
- No repeat passwords during the same year.
Account Lockout
- Your account will be locked after 5 unsuccessful login attempts.
Other resources:
- Article on Choosing and Protecting Passwords.
- Password Reset Portal - Self Service Password Reset Portal : Knowledge Base (freshdesk.com)
New Policy, Same Management
Our password management has not changed. We are still required to keep passwords confidential and only share with IT Support. When sharing password with IT Support, please avoid using email whenever possible. Instead, use chat features like Microsoft Teams, which allows users to delete sensitive information shared after use. Also, your password should not be visible by anyone or written on sticky notes near your PC. Finally, if you believe your password has been compromised, please contact helpdesk@meridian.org as soon as possible.
Authenticator App is required
As most of you should know, Microsoft provides an easy to use MFA phone app called the Authenticator. It makes password policy changes much easier to manage. If you have questions or issues using Microsoft Authenticator, please email helpdesk@meridian.org.
Beware of Password Phishing Attacks
A common phishing email attack uses Microsoft branding as a way trick staff with fake “Password” or “MFA” requirements. Please be aware that Microsoft will NEVER send you an email on how to access your Microsoft account. You will only receive password notices via email directly from internal staff with Microsoft admin rights, such as the internal IT Team. If you are unsure that an email is a phishing attack, please forward email to helpdesk@meridian.org.