Skip to Main Content
Return to Navigation

Working With Passwords

This section discusses how to:

Setting Password Controls

Access the Password Controls page (select PeopleTools, then select Security, then select Password Configuration, then select Password Controls).

Image: Password Controls page

This example illustrates the fields and controls on the Password Controls page.

Password Controls page

You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft applications, not within a directory server.

Signon PeopleCode

Enabled

Select to enable the PeopleSoft password expiration and account lockout fields. The other password controls are not enabled by this box.

If you do not want these password controls, for example, you already have a third-party utility that performs equivalent features, then do not select this check box.

Note: If you change the status of the Enabled check box, you must restart the application server.

You can extend or customize the controls by modifying the PeopleCode.

Password Expiration

Never Expires

Select to disable password expiration options for all users.

Expires in

Select to enable password expiration options for all users.

You must enter a value between 1 (the default value) and 365 in the Days field to specify the number of days that a password is valid. Users signing on after a password expires must change their password to sign in.

You must select a warning option.

Without Warning

Select to disable notification of impending password expiration.

Warn for

Select to enable notification of impending password expiration.

The value that you enter in the Days field determines when the system begins notifying users of impending password expiration.

PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only.

A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list.

Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists.

Account Lockout

Failed Logons

Enter the maximum number of failed sign in attempts to allow before the system disables the user profile. For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system.

After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Password May Match

User ID

Select to enable users to use their own user ID as a password.

Primary Email

Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password.

Note: Clearing these controls helps you prevent hackers from guessing passwords based on a list of employee names.

Requirements

Use these fields to specify the number and types of characters that passwords must include. Passwords can include up to 32 characters.

Minimum Length

Enter the value that determines the fewest number of characters that a user must enter when creating his password. If the minimum length is set to 0, then the PeopleSoft password controls do not enforce a minimum length on the password; however, the password cannot be blank. When you create a new user or a user changes a password, the system checks this value. If it is not zero, then the system tests the password to ensure it meets length requirements and if it does not, an error message appears.

Specials

Enter the required number of special characters that the password must include.

The allowable special characters are:

! @ # $ % ^ & * ( ) - _ = + \ | [ ] { } ; : / ? . > <
Digits

Enter the required number of integers, such as 1 or 2, that the password must include.

Lower Case

Enter the required number of minuscule letters, such as 'q' or 'i,' that the password must include.

Upper Case

Enter the required number of majuscule letters, such as 'Q' or 'I,' that the password must include.

Leading, intermediate, and trailing white spaces are not supported in PeopleSoft passwords. If you want to include intermediate white spaces, you must comment out the following USERMAINT.GBL.PSOPRDEFN.SaveEdit Component PeopleCode:

&find = Find(" ", PSOPRDEFN.OPRID); If &find > 0 Then Error MsgGet(48, 14, "Message not found."); End-If;

Warning! When these statements are commented out, users can include white spaces in passwords. Although you can use the preceding PeopleCode modification as a workaround, it is strongly recommended that you not do so. This modification can cause unexpected behaviors that are problematic for batch processes, upgrades, application server configuration files, and two-tier applications, such as PeopleSoft Application Designer, Data Mover, Application Engine.

Password History

Passwords to Retain

Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY). If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password.

When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password.

Note: If the password history table contains values and you change the Passwords to Retain field value to 0, the system deletes the password history for all users.

Purge User Profiles

Days of Inactivity

Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive. After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process.

If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

Changing Passwords

Access the Change My Password page (from the homepage, click Change My Password). The PeopleSoft system enables users to change their passwords as needed.

Image: Change Password page

This example illustrates the fields and controls on the Change Password page.

Change Password page

To change a PeopleSoft password:

  1. From the homepage, click Change My Password.

  2. On the Change Password page, enter the current password in the Current Password field.

  3. In the New Password field, enter a new password.

  4. Confirm the new password by entering it again in the Confirm Password field.

  5. Click Change Password.

Creating Email Text for Forgotten Passwords

Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.

When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.

Access the Forgot My Password Email Text page (select select PeopleTools, then select Security, then select Password Configuration, then select Forgot My Password Email Text).

Image: Forgot My Password Email Text page

This example illustrates the fields and controls on the Forgot My Password Email Text page.

Forgot My Password Email Text page

Add the following text string in the Email Text field:

<<%PASSWORD>>

The system inserts the new password here. The %PASSWORD variable resolves to the generated value.

Note: You might instruct the user to change the password to something easier to remember after they sign in to the system with the randomly generated password. Only users who have the Allow Password to be Emailed option enabled on the Permission List - General page can receive a new password using this feature.

Creating Hints for Forgotten Passwords

Access the Forgot My Password Hint page (select PeopleTools, then select Security, then select Password Configuration, then select Forgotten Password Hint).

Image: Forgot My Password Hint page

This example illustrates the fields and controls on the Forgot My Password Hint page.

Forgot My Password Hint page

With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.

To create a forgotten password hint:

  1. Click Add a New Value.

  2. On the Add a New Value page, enter a three-character ID in the Password Hint ID field.

  3. Click Add.

  4. Select the Active check box.

  5. Enter your question to verify that the user is who he or she claims to be.

  6. Click Save.

Deleting Hints for Forgotten Passwords

To delete a password hint:

  1. Select select PeopleTools, then select Security, then select User Profiles, then select Delete Forgotten Password Hint.

  2. Enter the specific code for the hint or perform a search for it.

  3. On the Delete Forgot My Password Hint page, select the appropriate hint.

  4. Click Delete.

Setting Up the Site for Forgotten Passwords

PeopleSoft recommends setting up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.

To set up a forgotten password site:

  1. Set up a separate PeopleSoft Pure Internet Architecture site on your web server.

  2. Set up a direct connection to the site, such as a link to it.

  3. In the web profile, enable public access and specify a public user ID and password for automatic authentication.

    This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.

  4. Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.

  5. Notify your user community of the link.

Note: The site should have this format: http://webserver/psp/sitename/portalname/localnodename/c/MAINTAIN_SECURITY .EMAIL_PSWD.GBL?

Requesting New Passwords

Before the system can email the user a new password, complete these tasks:

  • Create a forgotten password hint.

  • Specify an email address in the user profile.

  • Grant permission to have a new password emailed.

    Note: The security administrator must select the Allow Password to be Emailed check box in at least one of the user's permission lists. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password.

See Setting General Permissions.

To request a new password:

  1. Click the Forgotten Password link on the PeopleSoft signon page (or direct the user to the Forgotten Password link.)

  2. On the Forgot My Password page, enter your user ID.

  3. Click Continue.

  4. On the Email New Password page, verify that the system is set to send the new password to the appropriate email address.

    If the appropriate email address does not appear, contact your system administrator. System administrators must make sure that the email address is correctly represented for each user who intends to use this feature.

    Note: Use Application Designer to change any display properties of the fields on the EMAIL_PSWD2 page.

  5. Respond to the user validation question.

    Note: The user must have set up the forgotten password help.

    See Changing Your Password.

  6. Click Email New Password.