As a way to enhance the security and management settings available for enterprise admins, we've added the ability to require strong passwords for external collaborators. With this setting enabled, passwords from external collaborators have to meet certain security criteria before the user will be able to access the content owned by the organization.
What does this feature allow admins to do?
- The feature allows admins to require the Box passwords that external collaborators use to access their organization’s content to meet a certain criteria for added security
What types of accounts have this available?
- The feature is available on Enterprise and Elite accounts
How does an admin enable the setting?
- To enable this setting, go to the Password Requirements section under the Security tab in your Enterprise Settings, from the Admin Console
- Check the box next to Require strong passwords for external collaborators.
Do you allow admins to require that their own managed users set passwords that meet a certain criteria?
- Yes, this is an existing Box feature and can be enabled on the same Password Requirements section on the Security tab
- That setting is available for Enterprise/Elite admins
Does it have to be set for the entire account, or can it be chosen for a specific folder or set of folders?
- The requirement must be set for the entire account
When it’s set, what’s the experience for new external collaborators that are invited?
- When an external collaborator is invited to collaborate on content that is subject to a strong password and their password is not strong enough already, they will be prompted in the web app to either accept or reject that collaboration invite
- If they reject, they will not be able to access the shared content (on the Box web app, Box Sync Box mobile apps, etc.). If they decide later that they’d like to change their password in order to access the content, they will need to be invited again by a collaborator.
- If they accept, they will prompted to change their Box password to meet the stricter criteria
When it’s set, what’s the experience for existing external collaborators?
- When an admin enables the new feature, existing external collaborators will be affected immediately if their password does not meet the criteria (if it does, they will not see a change)
- If this is the case, the external collaborator will lose access to the content (on the Box web app, Box Sync, Box mobile apps, etc.) and will be prompted to either accept or reject that collaboration as outlined above the next time they log in on the web app.
- In the meantime, the external collaborator will lose access to the content from mobile apps, Box Sync, partner integrations, etc. until they log into Box, accept and change their password
- Any user subject to losing access to content will receive an email notification prompting them to login to the web app and change their password to regain access to that content
- If they accept, they will be prompted to update their password to a stronger one
- If they reject, they will no longer be able to access that content (from everywhere – web app, Box Sync, mobile apps). If they decide later that they want to have access again, they’ll need to be re-invited and update their password accordingly.
Do external collaborators know they need to change their password anywhere besides the web app?
- Yes, Box will send an email notification to new and existing external collaborators if the setting is enabled and they need to log in and change their password in order to access that content.
If you are in the process of setting up SSO but have not yet enabled the SSO Required option, as described in Setting Up Single Sign-On (SSO) for Your Enterprise, and an external collaborator already uses SSO, we consider that a strong password and do not require updating the password.
How do you define a “strong” password?
- A "strong" password is a password of increased complexity. By default, Box does not require any specific level of complexity beyond the minimum number of characters.
- A “strong” password must contain more characters than the minimum allowed. We recommend including numbers, special characters, and a mix of upper- and lowercase letters, but these are not required – they just help increase key space.
- The criteria for a strong password for external collaborators is not related to the enterprise's password requirement settings but follows Box guidelines for strong passwords: using at least 8 characters, with either a combination of numbers, uppercase letters, or special characters (i.e. $#@&!).
- If an external collaborator already uses SSO to access Box, we consider that a strong password and do not require updating the password.