If you create accounts manually, you need to know about the makeup of usernames and passwords so you don't get slowed down by having them rejected by the system.
Usernames must be unique and are not case sensitive when you or your account holders enter them. They are always displayed in lower case.
They must be at least 6 characters long and can be as long as 20 characters. All usernames will start with a prefix unique to your organisation. If you use any form of automated account creation, such as self-registration or bulk upload, usernames will be in a predictable format.
If you are allowing email addresses to be used as usernames, then the email addresses will also need to be unique.
Passwords are case sensitive, must be at least 8 characters long (maximum is 20) and contain a mix of letters and characters that are not letters.
For the best security, your own passwords should be difficult to guess but easy for you to remember and as lengthy as you can comfortably manage within the constraints.
Users should ideally always set their own passwords, but where this is not possible you should avoid (so far as is practical):
The safest way to reset user passwords is to trigger a reactivation email and let the account holder do it themselves.
The account becomes expired ON the expiry date - i.e. it does not allow the user to log in on the expiry date. The same is true of any other types of expiry date that may be in use by your organisation's schema such as eligibility expiry or permission set expiry.