4 Managing Password Policies

Organization administrators can associate a password policy to an organization. All password policies are created by System Administrators only. The organization administrators can select a relevant password policy from the password policies created by system administrators. A password policy set for an organization is applicable for that organization and all its suborganizations. If the suborganization-level administrator sets a different password policy for that organization, then the parent organization password policy is overridden by the new one, and is applicable to all suborganizations under this organization.Password policy priority determines which password policy is applicable for a user if the user is a member of multiple organizations. If the organizations are in hierarchy, then the password policy of the organization that is closest to the user is applicable even if the password policy associated with the parent organization has higher priority.During user creation, Oracle Identity Manager validates the password provided manually or autogenerated against the default password policy which is attached to the Top organization. When a user logs in for the first time and changes the password, the password policy with the highest priority that is applicable to the user's organization is applied.

This chapter describes password policy management in the following sections:

4.1 Searching Password Policies

To search for password policies:

  1. Login to Oracle Identity System Administration.

  2. In the left pane, under Policies, click Password Policy. The Password Policy page is displayed.

  3. For the Policy Name field, select a search operator from the list.

  4. In the Policy Name field, enter the policy name you want to search. If you want to list all existing password policies, then leave this field blank.

  5. Click Search. The password policies that match your search condition are displayed.

4.2 Creating a Password Policy

By creating password policies, you can:

  • Set password restrictions, for example, define the minimum and maximum length of passwords

  • See rules and resource objects that are associated with a password policy

Note:

In an environment in which LDAP synchronization is enabled, you must ensure one of the following:

  • Password policies set on Oracle Identity Manager must be more restrictive than password policies set on the LDAP server.

  • Password policies set on Oracle Identity Manager must match the password policies set on the LDAP server.

To create a password policy:

  1. In the Password Policy page, from the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Password Policy page is displayed, as shown in Figure 4-1:

    Figure 4-1 The Create Password Policy Page

    Description of Figure 4-1 follows
    Description of "Figure 4-1 The Create Password Policy Page"

  2. In the Policy Name field, enter the name of the password policy.

  3. In the Policy Description field, enter a short description of the password policy.

  4. In the Policy Rules tab, specify value in the fields to set the rules for the password policy. For a description of each field in the Policy Rules tab, see "Setting Password Policy Rules".

    Note:

    You can leave the fields blank in the Policy Rules tab, and click Apply to save the password policy. You can later open the password policy and set the policy rules by following the instructions in "Setting Password Policy Rules".

  5. Click Apply.

Note:

A password policy is not applied during the creation of an Oracle Identity Manager user through trusted source reconciliation.

4.3 Setting Password Policy Rules

Setting password policy rules involve specifying criteria for your password policy, for example, the minimum and maximum length of passwords.

You can use either or both of the following methods to set password restrictions:

  • Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.

  • In the Password File field, enter the directory path and name of the password policy file (for example, c:\Xellerate\userlimits.txt). This file contains predefined words that you do not want to be used as passwords. The delimiter specified in the File Delimiter field separates these words. The predefined words in the file cannot be used as passwords. For example, if the file contains the word welcome, then welcome, Welcome, and welcome123 are invalid passwords.

To set the rules for a password policy:

  1. In the Password Policy page, search and select the password policy that you want to open.

  2. From the Actions menu, select Open. Alternatively, click Open on the toolbar. The password policy details page is displayed.

    Note:

    You can also set the password policy rules at the time of creating the password policy.

  3. In the Policy Rules section, enter values in the fields, as listed in Table 4-1:

    Note:

    If a data field of the policy is empty, a password conforming to this policy does not have to meet the criteria of that field for the password to be valid. For example, when the Minimum Numeric Characters field is blank, Oracle Identity Manager will accept a password, regardless of the number of characters included in it.

    Table 4-1 Fields in the Policy Rules Section

    Field Name Description

    Minimum Length

    The minimum number of characters that a password must contain for the password to be valid.

    For example, if you enter 4 in the Minimum Length field, then the password must contain at least four characters.

    This field accepts values from 0 to 999.

    Minimum Password Age (Days)

    The minimum duration in days for which users can use a password.

    For example, if you enter 2 in the Minimum Password Age (Days) field, then the user cannot change the password before 2 days of creating the password.

    The value of this field must be less than the value of the Expires After (Days) field. For example, if you enter 30 in the Expires After (Days) field and 31 in the Minimum Password Age (Days) field, then an error is displayed.

    Warn After (Days)

    The number of days that must pass before a user is notified that the user's password will expire on a designated date.

    For example, you enter 30 in the Expires After (Days) field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1.

    This field accepts values from 0 to 999.

    Disallow Last Passwords

    The frequency at which old passwords can be reused. This policy ensures that users do not change back and forth among a set of common passwords.

    For example, if you enter 10 in the Disallow Last Passwords field, then users are allowed to reuse a password only after using 10 unique passwords.

    This field accepts values from 0 to 24.

    Expires After (Days)

    The maximum duration in days for which users can use a password.

    For example, if you enter 30 in the Expires After Days field, then users must change their passwords by the thirtieth day from when it was created or last modified.

    This field accepts values from 0 to 999.

    Note: After the number of days specified in the Expires After Days field passes, a message is displayed asking the user to change the password.


  4. Select any one of the following options:

    Note:

    You can configure either a default complex password policy or a custom password policy. If you select the Complex Password option, then you cannot use the Custom Policy option setup, and passwords will be evaluated against the complex password criteria.

    • Complex Password: Selecting this option sets the following complex password criteria:

      • The password is at least six characters long. This password length overrides the Minimum Length field if the value entered in the Minimum Length field is less than 6. For example, if you enter 2 in the Minimum Length field, at least six characters will be required for the password because it must have at least six characters according to the complex password criteria.

      • The password contains characters from at least three of the following five categories:

        - English Uppercase Characters (A - Z)

        - English Lowercase Characters (a - z)

        - Base 10 digits (0 - 9)

        - Non-alphanumeric characters (for example: !, $, #, or %)

        - Unicode characters

      • The password does not contain any of User ID, first name, or last name when their length is larger than 2.

        The names are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, then the names are split and all sections are verified not to be included in the password. For example, if the user name is john-d, then d will not be checked in the password because its length is less than 2. Similarly, if the name is John Richard Doe, then the password cannot contain john, richard, or doe.

        When checking against the user's full name, characters such as commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs are treated as delimiters that separate the name into individual character sets. Each character set that has three or more characters is searched in the password. If the character set is present in the password, the password change is rejected. For example, the name John Richard-Doe is split into three character sets: John, Richard, and Doe. This user cannot have a password that consists of three continuous characters from either John or Richard or Doe anywhere in the password. However, the password can contain the substring d-D because the hyphen (-) is treated as the delimiter between the substrings Richard and Doe. In addition, the search for character sets in the password is not case-sensitive.

      Note:

      If the user's full name is less than three characters in length, the password is not checked against it because the rate at which passwords will be rejected is too high.

    • Custom Policy: If you select the Custom Policy option, you can set a custom password policy by using the fields listed in Table 4-2.

      Table 4-2 Fields in Custom Policy Section

      Field Name Description

      Maximum Length

      The maximum number of characters that a password can contain.

      For example, if you enter 8 in the Maximum Length field, then a password is not accepted if it has more than eight characters.

      This field accepts values from 1 to 999.

      Maximum Repeated Characters

      The maximum number of times a character can be repeated in a password.

      For example, if you enter 2 in the Maximum Repeated Characters field, then a password is not accepted if any character is repeated more than two times. For example, RL112211 would not be a valid password because the character 1 is repeated three times.

      Note: In this example, there are four occurrences of the character 1, which means that it is repeated three times.

      This field accepts values from 1 to 999.

      Minimum Numeric Characters

      The minimum number of digits that a password must contain.

      For example, if you enter 1 in the Minimum Numeric Characters field, then a password must contain at least one digit.

      This field accepts values from 0 to 999.

      Minimum Alphanumeric Characters

      The minimum number of letters or digits that a password must contain.

      For example, if you enter 6 in the Minimum Alphanumeric Characters field, then a password must contain at least six letters or numbers.

      This field accepts values from 0 to 999.

      Minimum Unique Characters

      The minimum number of nonrepeating characters that a password must contain.

      For example, if you enter 1 in the Minimum Unique Characters field, then a password is accepted if at least one character in the password is not repeated. For example, 1a23321 would be a valid password because the character a in the password is not repeated although the remaining characters are repeated.

      This field accepts values from 0 to 999.

      Minimum Alphabet Characters

      The minimum number of letters that a password must contain.

      For example, if you enter 2 in the Minimum Alphabet Characters field, then the password is not accepted if it has less than two letters.

      This field accepts values from 0 to 999.

      Special Characters: Minimum

      The minimum number of non-alphanumeric characters (for example, #, %, or &) that a password must contain.

      For example, if you enter 1 in the Special Characters: Minimum field, then a password must have at least one non-alphanumeric character.

      This field accepts values from 0 to 999.

      Special Characters: Maximum

      The maximum number of non-alphanumeric characters that a password can contain.

      For example, if you enter 3 in the Special Characters: Maximum field, then a password is not accepted if it contains more than three non-alphanumeric characters.

      This field accepts values from 1 to 999.

      Minimum Uppercase Characters

      The minimum number of uppercase letters that a password must contain.

      For example, if you enter 8 in the Uppercase Characters: Minimum field, then a password is not accepted if it contains less than eight uppercase letters.

      This field accepts values from 0 to 999.

      Minimum Lowercase Characters

      The minimum number of lowercase letters that a password must contain.

      For example, if you enter 8 in the Minimum Lowercase Characters field, then a password is not accepted if it has less than eight lowercase letters.

      This field accepts values from 0 to 999.

      Characters Required

      The characters that a password must contain.

      For example, if you enter x in the Characters Required field, then a password is accepted only if it contains the character x.

      The character you specify in the Characters Required field, must be mentioned in the Characters Allowed field. If you enter a character in the Characters Required field that is not mentioned in the Characters Allowed field, then an error is displayed stating that the required characters must be in the list of allowed characters, and required characters must not be in the list of not allowed characters.

      In addition, if you specify more than one character, then do not provide delimiters. Commas and white spaces are also considered as characters in this field. For example, if you specify characters such as a,x,c, then the password is not accepted unless it contains comma.

      Characters Allowed

      The characters that a password can contain.

      For example, if you enter the percent sign (%) in the Characters Allowed field, then a password is accepted if it contains a percent sign, given that all other criteria are met.

      Note: If any character is used in the password and that character is not in the Characters Allowed field, then the password will be rejected. For example, if the Characters Allowed field has "abc" and the password is "dad", then the password is rejected because "d" is not in the Characters Allowed field.

      If you specify the same character in the Characters Allowed and Characters Not Allowed fields, then an error message is returned when you create the password policy.

      Characters Not Allowed

      The characters that a password must not contain.

      For example, if you enter an exclamation point (!) in the Characters Not Allowed field, then a password is not accepted if it contains an exclamation point.

      Substrings Not Allowed

      A series of consecutive alphanumeric characters that a password must not contain.

      For example, if you enter IBM in the Substrings Not Allowed field, then a password is not accepted if it contains the letters I, B, and M, in successive order.

      Special Characters: Min

      The minimum number of special characters that a password must contain.

      For example, if you enter 2 in the Special Characters: Min field, then the password is not accepted if it has less than two special characters.

      The field accepts values from 0 to 999.

      Special Characters: Max

      The maximum number of special characters that a password can contain.

      For example, if you enter 5 in the Special Characters: Max field, then a password is not accepted if it has more than five special characters.

      This field accepts values from 1 to 999.

      Unicode Characters: Min

      The minimum number of Unicode characters that a password must contain.

      For example, if you enter 3 in the Unicode Characters: Minimum field, then the password is not accepted if it has less than three Unicode characters.

      This field accepts values from 0 to 999.

      Unicode Characters: Max

      The maximum number of Unicode characters that a password can contain.

      For example, if you enter 8 in the Unicode Characters: Maximum field, then a password is not accepted if it has more than eight Unicode characters.

      This field accepts values from 1 to 999.

      Start With Alphabet

      Whether or not the password must begin with a letter.

      For example, if you select this option, then the password 123welcome is not accepted because the password does not begin with a letter. However, if you do not select this option, then the password can begin with a letter, numeric digit, or special character.

      Disallow User ID

      This check box specifies if the user ID will be accepted as the whole password or as part of the password.

      When this check box is selected, a password will not be valid if the user ID is entered in the Password field. In addition, the password is not valid if the user ID occurs as a part of the password specified in the Password field.

      If you deselect this check box, the password will be accepted, even if it contains the user ID.

      Disallow First Name

      This check box specifies if the user's first name will be accepted as the whole password or as part of the password.

      When this check box is selected, a password will not be valid if the user's first name is entered in the Password field. In addition, the password is not valid is the first name is entered as a part of the password.

      If you deselect this check box, then the password will be accepted, even if it contains the user's first name.

      Disallow Last Name

      This check box specifies if the user's last name will be accepted as the whole password or as part of the password.

      When this check box is selected, a password will not be valid if the user's last name is entered in the Password field. In addition, the password is not valid is the last name is entered as a part of the password.

      If you deselect this check box, then the password is accepted, even if it contains the user's last name.

      Password File

      The path and name of a file that contains predefined terms, which are not allowed as passwords. The file must be stored on the same host on which Oracle Identity Manager is deployed.

      Note: The settings on the Policy Rules tab get precedence over the specifications in the password file. For example, a disallowed term of the password file is used in the policy when no disallowed term is specified in the Policy Rules tab.

      Password File Delimiter

      The delimiter character used to separate terms in the password file.

      For example, if a comma (,) is entered in the Password File Delimiter field, then the terms in the password file will be separated by commas.

      Note: There are no escape characters defined to be used in password policies.


  5. Click Apply to save the password policy.

Note:

After creating a password policy, you must associate the policy with an organization. The rules of the policy will be applied for the users of that organization and its suborganizations. For information about associating password policies to organizations, see "Creating an Organization" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

4.4 Deleting a Password Policy

To delete a password policy:

  1. In the Password Policy page, search and select a password policy that you want to delete.

  2. From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.

  3. Click Yes to confirm the deletion.