# Enforce Password Policy for Extensions

A password policy raises the security bar on every extension by controlling how strong its passwords must be. Weak or reused passwords are one of the easiest ways for an attacker to hijack an extension and run up toll fraud, so tightening these rules protects both the account and your call spend.

Each extension has two separate passwords, and the policy covers both:

- **Registration password**: the credential a device (an IP desk phone or a softphone, which is a phone app running on a computer or mobile) uses to register with the PBX (Private Branch Exchange, the phone system) so it can make and receive calls.
- **User password**: the password a person types to sign in to the Cloud Voice App.

## Before you begin

- Your PBX server must be running firmware **84.20.0.21** or later.
- Changing these settings requires administrator access to your phone system's management portal, which you reach by logging in to the Cloud Voice Dashboard.

:::note
If you open the Security page and do not see the **Extension Password Rules** section, you are most likely not signed in with full administrator access. Log in to the Cloud Voice Dashboard at https://voice.izt.cloud and click **Login** to open your phone system's management portal with full administrator access, then try again.
:::

## Configure the rules

1. Log in to the Cloud Voice Dashboard at https://voice.izt.cloud and click **Login** to open your phone system's management portal, then open **Security > Security Settings > Security Options**.
2. Locate the **Extension Password Rules** section and adjust the settings described below.

   ![Extension password rule fields in the Security Options page](/images/pbx/security-ext-psw-rule.png)

   | Setting | What it controls |
   |---------|------------------|
   | Minimum Character Length of User Password | The fewest characters allowed in an extension's user password, the password used to sign in to the Cloud Voice App. The password can be up to 63 characters, so the minimum you require cannot exceed 63. |
   | Minimum Character Length of Registration Password | The fewest characters allowed in an extension's registration password, the credential a device such as an IP phone or softphone uses to register. The password can be up to 63 characters, so the minimum you require cannot exceed 63. |
   | Extensions Are Not Allowed Reuse Any of Their Last _{number}_ User Passwords | When turned on, an extension cannot recycle any of its most recent user passwords when setting a new one. Enter a value from 1 to 20 to choose how many past passwords are blocked. |

3. Click **Save**.

:::tip
Turn on the reuse rule to stop users from cycling back to an old password every time they are asked to change it. Blocking the last several passwords is a simple, low-effort way to keep credentials fresh.
:::

:::caution
The registration password must match on both ends: the value stored on the PBX and the value entered on the device. If you tighten the registration-password minimum and then reissue a longer password to an extension, you must also update that password on the phone or softphone. A mismatch stops the device from registering, which means it cannot make or receive calls.
:::

## What happens next

From this point on, the rules are checked whenever an extension is created or an extension password is changed, so any new password must satisfy the policy you defined.

:::note
Existing extensions are not forced to change their passwords the moment you save the policy. A current password that does not meet the new rules keeps working until someone changes it, at which point the new value must satisfy the policy.
:::
