54.8 Password Generation Policies

Password policies facilitate user logons while ensuring the organization's security. The Access Portal Service lets administrators set policies that control automatic password generation.

Most applications have constraints for passwords: how long they can or must be, whether they must or must not include numbers or symbols, and so on. the Access Portal Service's password generation feature improves application logon security by automatically creating passwords made up of random characters according to predefined sets of constraints, stored as password policies. Each policy can apply to multiple applications or subscribers.

Using predefined password policies, you can completely automate password changes and implement sophisticated security schemes, including complex passwords and application-specific passwords unknown to users.

To manage password generation policies, click Federation at the top of the Administrative Console, then click Password Generation Policies in the Access Portal Service section. A new tab containing options to search and create opens.

Figure 54-1 Password Generation Policies Search/Create Tab

Description of Figure 54-1 follows
Description of "Figure 54-1 Password Generation Policies Search/Create Tab"

54.8.1 Searching for an Existing Password Generation Policy

You can search for an existing password generation policy.

To search:

  1. Enter a name or partial string in the Name field, and click the Search button. The results appear in the Search Results table.
  2. Click any policy in the Search Results list to edit the policy configuration. Continue to step 3 in the next section to learn more about configuring these settings.

54.8.2 Creating a New Password Generation Policy

You can create a new password generation policy.

To create a new password generation policy:

Figure 54-2 New Password Generation Policy Summary Tab

Description of Figure 54-2 follows
Description of "Figure 54-2 New Password Generation Policy Summary Tab"
  1. Click the Create Password Generation Policy button to launch the New Password Policy tab, which contains two sub-tabs:

    • Summary

    • Password Constraints

  2. On the Summary tab, enter the following information:

    • A distinct name for the policy.

    • (Optional) A meaningful description to identify the policy.

    • (Optional) Internal reference information describing the version/variant of the policy.

  3. Click the Password Constraints tab.

    Note:

    If you would like to specify your password constraints using regular expressions, enter the desired REGEX string into the Regular Expressions Constraint field. Doing so will override and disable the manual constraint options listed below (except the Previous Password Constraints options).

  4. On the Password Constraints tab, specify the following:

    • Length Constraints

      • The minimum password length. Options are 1-128. Default is 8 characters.

      • The maximum password length. Options are 1-128. Default is 8 characters.

    • Alphabetic Characters

      • Check the box to allow uppercase characters. If you check the box, you must specify the minimum number required. Default is 0.

      • Check the box to allow lowercase characters. If you check the box, you must specify the minimum number required. Default is 0.

    • Special Characters

      • Check the box to allow non-alphabetical and/or non-numeric characters. If you check the box, you must specify the minimum and maximum number permitted. Default minimum is 0. Default maximum is 8.

      • Check the box(es) to allow a special character to start and/or end a password.

    • Excluded Characters

      • Enter a list of specific characters to exclude from a password. Do not use any delimiters.

    • Repeat Constraints

      • Enter the maximum number of times a given character can be repeated in a password (in any position). Options are 0-127. Default is 7.

      • Enter the number of times a given character can be repeated consecutively (adjacent to itself). Options are 0-127. Default is 7.

    • Numeric Characters

      • Check the box to allow numeric characters. If you check the box, you must specify the minimum and maximum number permitted. Default minimum and maximum is 0.

      • Check the box(es) to allow a numeric character to start and/or end a password.

    • Other Characters

      • Check to allow other characters to be included in a password.

    • Previous Password Constraints

      • Disallow use of previous password. Check the box to prohibit reusing the previous password entirely.

      • Limit use of previous password characters. Select to limit repetition of characters from the previous password.

      • Maximum previous password characters. If you checked the previous box to permit usage of some previous password characters, select the maximum number of characters to allow.

      Note:

      The Access Portal Service recognizes multiple occurrences of a character as the same character and will therefore permit more than one occurrence of that character in the new password.

      So, if the previous password contained three "A"s, and you specify that one character from the previous password can repeat, the Access Portal Service will allow more than one instance of "A" in the new password.

  5. Click Save to complete policy configuration, or Cancel to close the tab without saving the policy.

Figure 54-3 Password Constraints Tab of a Password Generation Policy

Description of Figure 54-3 follows
Description of "Figure 54-3 Password Constraints Tab of a Password Generation Policy"

54.8.3 Managing Policy Subscribers

Applications that use a password generation policy are called subscribers. You can add subscribers during creation of the policy or at any time thereafter. Following is the procedure to add subscribers to a policy.

To manage policy subscribers:

Figure 54-4 Add Applications Dialog

Description of Figure 54-4 follows
Description of "Figure 54-4 Add Applications Dialog"
  1. On the Password Generation Policy Summary page, click the Add icon. The Add Applications dialog appears.
  2. In the Name field, enter a name or text string and click Search. You can also leave this field blank to return every available application.
  3. After a search, all applications that fit your search criteria appear in the Available Applications list. For each application, the list includes any policy to which it subscribes.
  4. Select one or more applications from the Available Applications list, and click Add Selected. Or simply click Add All to add every application returned by the search.

    If you select an application that is already a subscriber to another policy, it will no longer be subscribed to the other policy.

  5. Click Add when you are finished, or Cancel to dismiss the dialog without making changes.
  6. Click Save to save your policy.