Default password requirements
passwords don't expire
passwords need to be at least 10 characters long and contain at least one uppercase letter, one number and one special character.
two factor authentication is not enforced.
Administrators of accounts that are on the Pro or Multi-account monthly billing plan or the Pay As You Go plan can control minimum password length and force expiry. Two factor authentication is available even with the Standard billing plan.
Under the Security tab on the Account Settings page you can change the minimum password length requirement that applies to all users of the entire account (and sub accounts, if applicable). The requirement for at least one uppercase letter, one number and one special character aren't affected by changing the password length.
You can also force password expiry so users have to periodically chose a new password without the possibility to reuse previous passwords. Passwords previously used while password expiry is enabled can never be reused.