System-Defined Password Requirements
The following password requirements are always enforced by the system and can't be changed by an administrator:
-
A prior password can't be reused.
-
There must be a significant difference between a new password and the last password. (For example, a user can change a password from
MyWord!123
toMyWord!145
. ButMyWord!124
wouldn't work.) -
Easy-to-guess passwords, such as common names, words, and strings like
abcd123456
are prohibited. -
Non-ASCII characters are considered illegal characters and are prohibited.
-
The minimum password length must be at least the minimum required by the selected password policy.
-
Passwords must contain the appropriate variety of character types specified by the selected password policy:
Character types are:
-
Uppercase alphabet (A, B, ... Z)
-
Lowercase alphabet (a, b, ... z)
-
Number (1, 2, 3, 4, 5, 6, 7, 8, 9, 0)
-
Non-alphanumeric ASCII characters, for example ` ~ ! @ # $ % ^ & * ) ; ' [ ] "{ }.
-
-
The password can't be in a list of leaked passwords. NetSuite checks the password on submit, which can cause the password being rejected even if all other criteria are met.
Immediate Feedback on Password Changes
When entering a new password, users receive immediate feedback on compliance with password requirements. An administrator receives the same feedback when entering a user password on the Access tab of an employee, partner, vendor, or customer record.
For more information about how users can change their passwords, see Change Password Link.
Every page where a user changes a password contains the Password Criteria table. This ensures that the user can tell whether the proposed password meets the security rules enforced by the system.
The password can still get rejected, because the system performs a check for leaked password database on submit. If this happens, you should consider changing the leaked password in other services you use.