Skip to main content

Password Policies

Fischer Identity
  • Updated

Password policies are where you define the password rules for one or more connected systems.  This feature is largely UI based in terms of configuration but you do have the option to build your own custom password policy if you would like or if the user interface does not have a configuration option you are looking for.

The product installs with two default password policies.  These policies cannot be changed, however you can copy one of the default policies and rename it if you feel the rules defined meet the password criteria for your organization.

Adding a New Password Policy

To add a new password policy, simply click "Add".  Note that there are two radio buttons on the stop of the configuration section.  "Standard Password Policy" and "Quorum".  Standard is an enforcement of all defined password rules without deviation.  When Quorum is selected, the far right "Conditional" checkbox will enter into the password evaluation process.  If you decide to configure a quorum-based policy, each "Conditional" box you select will be counted and leveraged when enforcing the defined password policy.  With each selection of a conditional based evaluation, the following enforcement rule will come into play:


This option provides administrators with the ability to set the minimum number of conditional rules that the end user must meet before the password is allowed.


This is the top half of the password policy configuration


This is the bottom half of the password policy configuration

Name-  Displays the name of the password policy.
Display Name- Displays the display name of the password policy, this will be displayed in the password reset pages.
Description-  Displays the description of the password policy.
Standard Password Policy- Clicking the plus or minus expands/collapses this section.
Visible- Password rule should be visible if the check box is checked.

Conditional- Password Rule should be conditional if the check box is checked.

                      Note:-This will be enabled when "Quorum" is selected

Length
MinimumThe minimum number of password characters to allow.
MaximumThe maximum number of password characters to allow.

Letters
Allow letters onlyOnly letters can be used in passwords (can not use numeric or special characters) .
Must start with a letter- Passwords must begin with an alphabetic character.
Minimum number of letters- The lowest allowable number of letters to be used in passwords. A blank or zero (0) entry indicates that no letters are required.
Maximum number of lettersThe highest allowable number of letters to be used in passwords.
Require mixed caseRequires both upper case and lower case password characters.

Minimum number of upper case letters - The lowest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no upper case letters are required.

 Note:-The Require mixed case check box must be selected.
Minimum number of lower case letters - The highest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no lower case letters are required. 
 Note:-The Require mixed case check box must be selected.

Numbers
Allow numbers only- Only numbers (no letters or special characters) can be used in passwords.
Must start with a number- Passwords must begin with a numeric character
Minimum number of numerics- The lowest allowable number of numerics to be used in passwords. A blank or zero (0) entry indicates that no numerics are required.
Maximum number of numerics- The highest allowable number of numerics to be used in passwords

Dictionary

Disallow words found in dictionary when:
Disallows using actual words (house, runner, etc.) in passwords.Password cracking programs attempt to guess passwords by trying
words found in a dictionary. Dictionary word checking is case insensitive(i.e., "house", "hOUse", and "HOUSE" are treated as the same word).

Note:- Go to the Dictionary page to learn how to add words to the dictionary (thereby disallowing their use in passwords), and to remove words from the dictionary (thereby allowing their use in
passwords).
Contained within password- Passwords cannot contain a word in the dictionary
Contained within password(ignore non-letters in password)- Passwords cannot contain an embedded word in the dictionary. For example, "h1o2u3se" is invalid because the password becomes
                                                                                                        "house" when the non-letters are removed, which is a word in the dictionary.
Password starts with word- Passwords cannot start with a word in the dictionary
Password ends with word- Passwords cannot end with a word in the dictionary
Minimum length of word to check against- The length of the smallest word that cannot be used in passwords

Additional

Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc.
Notes:-. The Admin UI Add Profile feature does not enforce the user ID part of this rule.
           · The Self-Service Self-Registration feature only enforces the user ID part of this rule if the user ID attribute - primary is present as one of the fields in the Self-Registration UI.
            · This rule is only enforced for the Identity account and profile of the user
Disallow repeating character sequences- Disallows repeating characters (11, xx, etc.) in passwords. Passwords with repeating characters are easier for password cracking programs to discover
Minimum number of special characters- The lowest allowable number of special characters to be used in passwords. A blank or zero (0) entry indicates that no special characters are required.
Disallow characters- Special characters to disallow in passwords
Maximum number of character pairs- The highest allowable number of character pairs (11, xx, etc.) to be used in passwords.
Maximum number of character occurrences- The highest allowable number of occurrences of a single character to be used in passwords.

User Related

Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc. Testing is case insensitive. Names, user IDs, and passwords are converted to lowercase before testing.

Notes:
· The Admin UI Add Profile feature does not enforce the user ID part of this rule.
· The Self-Service Self-Registration feature only enforces the user ID part of this rule if the user ID attribute primary is present as one of the fields in the Self-Registration UI.
· This rule is only enforced for the Identity account and profile of the user.
Disallow the user attributesPasswords cannot use the selected attributes value(eg:-first name or last name.) .Click the "Pick" button to select the attributes.

Disallow reverse or circular shift of user name- Disallows using:
                                                                                 · Reverse of the user's name or ID for passwords (e.g., 14nhoj password for john41 user name).
                                                                                 · Circular shift of the user's name or ID for passwords (e.g., 1john4 password for john41 user name).
Length of first or last name to disallow- The lowest allowable number of characters of the first or last name to disallow in passwords.
Disallow the Identity User ID- Passwords cannot use the Identity user ID.
Disallow reverse of Identity User ID- Passwords cannot use the reverse of the Identity user ID.
Disallow rearrangement of Identity User ID- Passwords cannot use a rearrangement of the Identity user ID.
Length of Identity User ID to disallow- The lowest allowable number of characters of the Identity user ID to be used in passwords.

Password Reuse and Age
Allow Password Reuse- Allows users to use previous passwords when changing their password.
Number of passwords to remember- The number of old passwords to remember (and allow) if the Allow Password Reuse check box is selected. For security reasons, a value of 3 or greater should be  used
Minimum Password Age- After a password reset, Identity users should not be allowed to change their password before the number of days set in this field.This rule is enforced for Identity users during password reset from Self-Service and Kiosk pages. This rule is not applicable for password reset from Admin UI and also password reset by OBO users.
Maximum Password Age- The maximum number of days to allow passwords to be used:
· Standard Passwords - The default is 90 days.
· Complex Passwords - The default is 30 days

Quorum for conditional

Minimum Number of conditional rules to be satisfied- User can specify the number of conditional rules to be satisfied.(This is enabled when "Quorum" is selected)

Custom Password Policy

Clicking the plus or minus expands/collapses this section. Check the box if the standard policy settings are not sufficient for your password policy requirements. This policy will be enforced by Identity Password Manager at run time during reset password operations.

The custom policy must be written in JavaScript. Any text editor such as Notepad can be used to create it and then copy/paste the data into the Policy Script field. These are the requirements of custom policies:
· Must be written using JavaScript.
· Must return the string "true" or Boolean "True" if the password policy validation succeeded.
· If the custom password policy validation fails, it must return the error message as a string or the
  Boolean "False".
Description- Enter the description of the Custom Password Policy. Select the preferred language from the drop-down list (the default is English). The description is used in these instances:
                     · When the View password policy link is clicked and the custom password policy is enabled.
                    · When the custom password validation fails. The description should contain the "{0}" characters to indicate where in the description the error message is to be inserted, if it fails. For
                       example, a description might be: Custom policy: {0}
Function Name- The name of the JavaScript function that implements the custom policy.
Policy Script- Enter the Custom Password Policy script.
Update- Saves the changes made to this page and returns to the previous page. Note: This button does not display for system defined password policies.
Category- Displays the Object Category Association page listing the default object category associations. Note: This button does not display for system defined password policies.
Test- Tests the password policy against the test password to ensure that it is working as expected. The Test button executes the JavaScript function entered above if the Custom Password Policy check box is selected. On the Test Password Policy page, enter the password to be tested against the password policy then click the Test button. If the given password is not valid, the rule results display.

Note:-this example uses testPassword as the Function Name; any other name can be used.

/*
* testPassword() - invoked to see if the password conforms to a user defined policy.
* Called whenever a user's password is reset.
*
* Parameters:
*
* password - the password to be tested.
* locale - the preferred locale of any error message.
*
* Output:
* The function should return true if the password meets the user defined password policy.
* If the password does not meet the user defined policy, then the function should return
* a string that describes what is wrong with the proposed password.
*
*/
function testPassword( password, locale)
{
if (password == 'test')
{
if (locale.substr( 0, 2) == 'de')
return 'Das Passwort kann nicht getestet werden!';
else if (locale.substr( 0, 2) == 'es')
return 'Contrase?a no puede ser prueba!';
else
return 'Password cannot be test!';

}
/*
* The getAttribute( attribute) function is available to access any FUP mapped profile
* attributes of the user. If the attribute is not mapped, or is not set, then
* getAttribute() will return null.
*/
if (getAttribute('Job-Department') == 'Sales' && password.indexOf( 'Sales') != -1)
return 'Password cannot contain Sales.';
else
return true;
}
/*
* generatePassword() - invoked when the generate password button is clicked in the
* Admin UI.
*
* Parameters:
*
* password - contains the password generated by the standard password policy rules
* for this policy. The generatePassword() function can use this password as
* a starting point.
*
* Output:
* The function should return a password that meets the custom password policy. If
* Standard Password Policy rules are enabled, the password must also conform to
* those rules.
*
*/
function generatePassword( password)
{
// override any generated password and return a random number between 0 and 1.
password = Math.random();
return password;
}
To create this policy
  • Select the Custom Password Policy check box on the Password Policy Details page. Enter the description and function name.
  • Copy and paste your JavaScript code into the custom Policy Script field.
  • Test the custom policy by clicking the Test button.
  • On the Test Password Policy page, enter the password to be tested against the custom policy then click the Test button
  • If policy validation succeeds, the message Password is valid displays. The entered password met the requirements in the custom JavaScript policy.
  • If policy validation fails, the message displayed is based on the JavaScript logic and error
    message in the JavaScript code.

Related articles

Comments

1 comment

Date Votes
  • Russell Jackson
    • Edited

    Does setting max password age to zero disable password expiration for a given policy? Would changing the policy retroactively affect users that had already changed their password under the existing policy?

    If not, how would one go about doing that?

    0

Please sign in to leave a comment.