Setting Password Policies

Resource password policies establish the limitations for passwords. Strong password policies provide added security to help protect resources from unauthorized login attempts. You can edit a password policy to set or select values for a range of characteristics.

To begin working with password policies, click Security on the main menu, and then click Policies.

To edit a password policy, click it in the Policies list. To create a password policy, select String Quality Policy from the New list of options.

For more information on policies, see Configuring Identity Manager Policies.

Creating a Policy

Password policies are the default type for string quality policies. After naming and providing an optional description for the new policy, select options and parameters for the rules that define it.

Length Rules

Length rules set the minimum and maximum required character length for a password. Select this option to enable the rule, and then enter a limit value for the rule.

Policy Type

Choose one of the policy type buttons . If you choose the Other option, you must enter the type in the text field provided.

Character Type Rules

Character type rules establish the minimum and maximum characters of certain types and number that can be included in a password.

These include:

• Minimum and maximum alphabetic, numeric, uppercase, lowercase, and special characters

• Minimum and maximum embedded numeric characters

• Maximum repetitive and sequential characters

• Minimum beginning alphabetic and numeric characters

Enter a numeric limit value for each character type rule; or enter All to indicate that all characters must be of that type.

Minimum Number of Character Type Rules

You can also set the minimum number of character type rules that must pass validation, as illustrated in Figure 3–7. The minimum number that must pass is one. The maximum cannot exceed the number of character type rules that you have enabled.

To set the minimum number that must pass to the highest value, enter All.

Figure 3–7 Password Policy (Character Type) Rules

Dictionary Policy Selection

You can choose to check passwords against words in a dictionary to guard against simple dictionary attacks.

Before you can use this option, you must:

• Configure the dictionary

• Load dictionary words

You configure the dictionary from the Policies page. For more information about how to set up the dictionary, see What is a Dictionary Policy?.

Password History Policy

You can prohibit re-use of passwords that were used immediately preceding a newly selected password.

In the Number of Previous Passwords that Cannot be Reused field, enter a numeric value greater than one to prohibit re-use of the current and preceding passwords. For example, if you enter a numeric value of 3, the new password cannot be the same as the current password or the two passwords used immediately before it.

You can also prohibit re-use of similar characters from passwords used previously. In the Maximum Number of Similar Characters from Previous Passwords that Cannot be Reused field, enter the number of consecutive characters from the previous password or passwords that cannot be repeated in the new password. For example, if you enter a value of 7, and the previous password was password1, then the new password cannot be password2 or password3.

If you enter a value of 0, then all characters must be different regardless of sequence. For example, if the previous password was abcd, then the new password cannot include the characters a, b, c, or d.

The rule can apply to one or more previous passwords. The number of previous passwords checked is the number specified in the Number of Previous Passwords that Cannot be Reused field.

Must Not Contain Words

You can enter one or more words that the password may not contain. In the entry box, enter one word on each line.

You can also exclude words by configuring and implementing the dictionary policy. For more information, see What is a Dictionary Policy?.

Must Not Contain Attributes

You can enter one or more attributes that the password may not contain.

You can specify the following attributes:

• accountID

• email

• firstname

• fullname

• lastname

You can change the allowed set of “must not contain” attributes for passwords in the UserUIConfig configuration object. See Must Not Contain Attributes in Policies for more information.

Implementing Password Policies

Password policies are established for each resource. To put a password policy in place for a specific resource, select it from the Password Policy list of options, which is located in the Policy Configuration area of the Create or Edit Resource Wizard: Identity Manager Parameters pages.