Password policies are where you define the password rules for one or more connected systems. This feature is largely UI based in terms of configuration but you do have the option to build your own custom password policy if you would like or if the user interface does not have a configuration option you are looking for.
The product installs with two default password policies. These policies cannot be changed, however you can copy one of the default policies and rename it if you feel the rules defined meet the password criteria for your organization.
Adding a New Password Policy
To add a new password policy, simply click "Add". Note that there are two radio buttons on the stop of the configuration section. "Standard Password Policy" and "Quorum". Standard is an enforcement of all defined password rules without deviation. When Quorum is selected, the far right "Conditional" checkbox will enter into the password evaluation process. If you decide to configure a quorum-based policy, each "Conditional" box you select will be counted and leveraged when enforcing the defined password policy. With each selection of a conditional based evaluation, the following enforcement rule will come into play:
This option provides administrators with the ability to set the minimum number of conditional rules that the end user must meet before the password is allowed.
This is the top half of the password policy configuration
This is the bottom half of the password policy configuration
Name- Displays the name of the password policy. |
Display Name- Displays the display name of the password policy, this will be displayed in the password reset pages. |
Description- Displays the description of the password policy. |
Standard Password Policy- Clicking the plus or minus expands/collapses this section. |
Visible- Password rule should be visible if the check box is checked. |
Conditional- Password Rule should be conditional if the check box is checked. Note:-This will be enabled when "Quorum" is selected |
Length |
Minimum- The minimum number of password characters to allow. |
Maximum- The maximum number of password characters to allow. |
Letters |
Allow letters only- Only letters can be used in passwords (can not use numeric or special characters) . |
Must start with a letter- Passwords must begin with an alphabetic character. |
Minimum number of letters- The lowest allowable number of letters to be used in passwords. A blank or zero (0) entry indicates that no letters are required. |
Maximum number of letters- The highest allowable number of letters to be used in passwords. |
Require mixed case- Requires both upper case and lower case password characters. |
Minimum number of upper case letters - The lowest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no upper case letters are required. Note:-The Require mixed case check box must be selected. |
Minimum number of lower case letters - The highest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no lower case letters are required. Note:-The Require mixed case check box must be selected. |
Numbers |
Allow numbers only- Only numbers (no letters or special characters) can be used in passwords. |
Must start with a number- Passwords must begin with a numeric character |
Minimum number of numerics- The lowest allowable number of numerics to be used in passwords. A blank or zero (0) entry indicates that no numerics are required. |
Maximum number of numerics- The highest allowable number of numerics to be used in passwords |
Dictionary |
Disallow words found in dictionary when: Note:- Go to the Dictionary page to learn how to add words to the dictionary (thereby disallowing their use in passwords), and to remove words from the dictionary (thereby allowing their use in |
Contained within password- Passwords cannot contain a word in the dictionary |
Contained within password(ignore non-letters in password)- Passwords cannot contain an embedded word in the dictionary. For example, "h1o2u3se" is invalid because the password becomes "house" when the non-letters are removed, which is a word in the dictionary. |
Password starts with word- Passwords cannot start with a word in the dictionary |
Password ends with word- Passwords cannot end with a word in the dictionary |
Minimum length of word to check against- The length of the smallest word that cannot be used in passwords |
Additional Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc. |
Notes:-. The Admin UI Add Profile feature does not enforce the user ID part of this rule. · The Self-Service Self-Registration feature only enforces the user ID part of this rule if the user ID attribute - primary is present as one of the fields in the Self-Registration UI. · This rule is only enforced for the Identity account and profile of the user |
Disallow repeating character sequences- Disallows repeating characters (11, xx, etc.) in passwords. Passwords with repeating characters are easier for password cracking programs to discover |
Minimum number of special characters- The lowest allowable number of special characters to be used in passwords. A blank or zero (0) entry indicates that no special characters are required. |
Disallow characters- Special characters to disallow in passwords |
Maximum number of character pairs- The highest allowable number of character pairs (11, xx, etc.) to be used in passwords. |
Maximum number of character occurrences- The highest allowable number of occurrences of a single character to be used in passwords. |
User Related Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc. Testing is case insensitive. Names, user IDs, and passwords are converted to lowercase before testing. Notes: |
Disallow the user attributes- Passwords cannot use the selected attributes value(eg:-first name or last name.) .Click the "Pick" button to select the attributes. |
Disallow reverse or circular shift of user name- Disallows using: |
Length of first or last name to disallow- The lowest allowable number of characters of the first or last name to disallow in passwords. |
Disallow the Identity User ID- Passwords cannot use the Identity user ID. |
Disallow reverse of Identity User ID- Passwords cannot use the reverse of the Identity user ID. |
Disallow rearrangement of Identity User ID- Passwords cannot use a rearrangement of the Identity user ID. |
Length of Identity User ID to disallow- The lowest allowable number of characters of the Identity user ID to be used in passwords. |
Password Reuse and Age |
Allow Password Reuse- Allows users to use previous passwords when changing their password. |
Number of passwords to remember- The number of old passwords to remember (and allow) if the Allow Password Reuse check box is selected. For security reasons, a value of 3 or greater should be used |
Minimum Password Age- After a password reset, Identity users should not be allowed to change their password before the number of days set in this field.This rule is enforced for Identity users during password reset from Self-Service and Kiosk pages. This rule is not applicable for password reset from Admin UI and also password reset by OBO users. |
Maximum Password Age- The maximum number of days to allow passwords to be used: · Standard Passwords - The default is 90 days. · Complex Passwords - The default is 30 days |
Quorum for conditional Minimum Number of conditional rules to be satisfied- User can specify the number of conditional rules to be satisfied.(This is enabled when "Quorum" is selected) |
Custom Password Policy Clicking the plus or minus expands/collapses this section. Check the box if the standard policy settings are not sufficient for your password policy requirements. This policy will be enforced by Identity Password Manager at run time during reset password operations. The custom policy must be written in JavaScript. Any text editor such as Notepad can be used to create it and then copy/paste the data into the Policy Script field. These are the requirements of custom policies: |
Description- Enter the description of the Custom Password Policy. Select the preferred language from the drop-down list (the default is English). The description is used in these instances: · When the View password policy link is clicked and the custom password policy is enabled. · When the custom password validation fails. The description should contain the "{0}" characters to indicate where in the description the error message is to be inserted, if it fails. For example, a description might be: Custom policy: {0} |
Function Name- The name of the JavaScript function that implements the custom policy. |
Policy Script- Enter the Custom Password Policy script. |
Update- Saves the changes made to this page and returns to the previous page. Note: This button does not display for system defined password policies. |
Category- Displays the Object Category Association page listing the default object category associations. Note: This button does not display for system defined password policies. |
Test- Tests the password policy against the test password to ensure that it is working as expected. The Test button executes the JavaScript function entered above if the Custom Password Policy check box is selected. On the Test Password Policy page, enter the password to be tested against the password policy then click the Test button. If the given password is not valid, the rule results display. |
Note:-this example uses testPassword as the Function Name; any other name can be used. /* } |
To create this policy |
|
Comments
1 comment
Does setting max password age to zero disable password expiration for a given policy? Would changing the policy retroactively affect users that had already changed their password under the existing policy?
If not, how would one go about doing that?
Please sign in to leave a comment.