Working With Passwords

Access the Password Controls page (PeopleTools > Security > Password Configuration > Password Controls).

You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft databases.

Important! PeopleTools delivers the Password Controls page with a number of default field values. When you perform a standard database installation the default values are set. The default values are not automatically set during an upgrade.

The following tables described the fields on the Password Controls page, including any default field values delivered.

Password May Match

Field or Control	Definition
User ID	Select to enable users to use their own user ID as a password. By default the control is not selected and users cannot use their user ID as a password.
Primary Email	Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password. By default the control is not selected and users cannot use their email address as a password.

Field or Control

Definition

User ID

Select to enable users to use their own user ID as a password.

By default the control is not selected and users cannot use their user ID as a password.

Primary Email

Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password.

By default the control is not selected and users cannot use their email address as a password.

Note: Clearing these controls helps you prevent hackers from guessing passwords based on a list of employee names.

Requirements

Use these fields to specify the number and types of characters that passwords must include. Passwords can include up to 32 characters.

Field or Control	Definition
Minimum Length	Enter the value that determines the fewest number of characters that a user must enter when creating his password. The default value is `8` characters. If the minimum length is set to `0,` then the PeopleSoft password controls do not enforce a minimum length on the password; however, the password cannot be blank. When you create a new user or a user changes a password, the system checks this value. If it is not zero, then the system tests the password to ensure it meets length requirements and if it does not, an error message appears.
Specials	Enter the required number of special characters that the password must include. The default value is `0.` The allowable special characters are: `! @ # $ % ^ & * ( ) - _ = + \ \| [ ] { } ; : / ? . > <`
Digits	Enter the required number of integers, such as `1` or `2,` that the password must include. The default value is `0.`
Lower Case	Enter the required number of minuscule letters, such as 'q' or 'i,' that the password must include. The default value is `0.`
Upper Case	Enter the required number of majuscule letters, such as 'Q' or 'I,' that the password must include. The default value is `0.`

By default, leading, intermediate, and trailing white spaces are not supported in PeopleSoft passwords. If your security policy requires that you allow intermediate white spaces intermediate white spaces, you must comment out the following USERMAINT.GBL.PSOPRDEFN.SaveEdit Component PeopleCode:

&find = Find(" ", PSOPRDEFN.OPRID); If &find > 0 Then Error MsgGet(48, 14, "Message not found."); End-If;

Warning! When these statements are commented out, users can include intermediate white spaces in passwords. Although you can use the preceding PeopleCode modification as a workaround, it is strongly recommended that you not do so. This modification can cause unexpected behaviors that are problematic for batch processes, upgrades, application server configuration files, and two-tier applications, such as PeopleSoft Application Designer, Data Mover, Application Engine.

Hint Responses

Field or Control	Definition
Seconds Delay Between	The setting controls the length of time to wait between processing consecutive hint responses regardless if the response is correct. The default value is `0.`

Field or Control

Definition

Seconds Delay Between

The setting controls the length of time to wait between processing consecutive hint responses regardless if the response is correct.

The default value is 0.

Password History

Field or Control	Definition
Passwords to Retain	Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY). The default value is `0.` If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password. When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password.

Field or Control

Definition

Passwords to Retain

Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY).

The default value is 0.

If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password.

When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password.

Note: If the password history table contains values and you change the Passwords to Retain field value to 0, the system deletes the password history for all users.

Purge User Profiles

Field or Control	Definition
Days of Inactivity	Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive. By default the field is blank. After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

Field or Control

Definition

Days of Inactivity

Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive.

By default the field is blank.

After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process.

If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

Signon PeopleCode

Field or Control	Definition
Enabled	Select the box to enable the PeopleSoft Password Expiration and Account Lockout fields. By default this option is `Enabled.` You must restart the application server whenever you change this setting. You can extend or customize the controls by modifying the PeopleCode.
Password Expiration	Use the controls in this section to manage password expiration options: Never Expires: Select to disable password expiration options for all users. Expires In: (Default.) Select to set password expiration options for all users. Days: You must enter a value between `1` and `365` in the Days field to specify the number of days that a password is valid. The default value is `180` days. Users signing on after a password expires must change their password to sign in. You must select a warning option. Without Warning: (Default.)Select to disable notification of impending password expiration. Warn For: Select to enable notification of impending password expiration. The value that you enter in the Days field determines when the system begins notifying users of impending password expiration. The default value is `5.` PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only. A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list. Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists.
Account Lockout	Failed Logons: Enter the maximum number of failed sign in attempts to allow before the system disables the user profile. The default value is `5.` For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system. After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Field or Control

Definition

Enabled

Select the box to enable the PeopleSoft Password Expiration and Account Lockout fields.

By default this option is Enabled.

You must restart the application server whenever you change this setting.

You can extend or customize the controls by modifying the PeopleCode.

Password Expiration

Use the controls in this section to manage password expiration options:

Never Expires: Select to disable password expiration options for all users.
Expires In: (Default.) Select to set password expiration options for all users.
- Days: You must enter a value between 1 and 365 in the Days field to specify the number of days that a password is valid.
  The default value is 180 days.
  
  Users signing on after a password expires must change their password to sign in.
  
  You must select a warning option.
- Without Warning: (Default.)Select to disable notification of impending password expiration.
- Warn For: Select to enable notification of impending password expiration.
  The value that you enter in the Days field determines when the system begins notifying users of impending password expiration.
  
  The default value is 5.

PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only.

A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list.

Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists.

Account Lockout

Failed Logons: Enter the maximum number of failed sign in attempts to allow before the system disables the user profile.

The default value is 5.

For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system.

After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Access the Change My Password page (from the homepage, click Change My Password). The PeopleSoft system enables users to change their passwords as needed.

To change a PeopleSoft password:

From the homepage, click Change My Password.
On the Change Password page, enter the current password in the Current Password field.
In the New Password field, enter a new password.
Confirm the new password by entering it again in the Confirm Password field.
Click Change Password.

Use the Forgot My Password Hint page to define questions for users to answer as a means to authenticate themselves if they forget their password.

(The Change or Set Up Forgotten Password Help page is where users select the security question and enter their answer into the system. See Defining Answers for Forgotten Password Hints)

You set up multiple questions, but users can only select one question to answer.

To access the Forgot My Password Hint page (PSPSWDHINT) select PeopleTools > Security > Password Configuration > Forgotten Password Hint.

With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.

To create a forgotten password hint:

Click Add a New Value.
On the Add a New Value page, enter a three-character ID in the Password Hint ID field.
Click Add.
Select the Active check box.
In the Question field, enter the question to use as a password hint.
Click the Save button.

To delete a password hint:

Select PeopleTools > Security > User Profiles > Delete Forgotten Password Hint.
Enter the specific code for the hint or perform a search for it.
On the Delete Forgot My Password Hint page, select the appropriate hint.
Click Delete.

Use the Change or Set Up Forgotten Password Help page (USER_PSWDHINT) to define an answer to a predefined password hint question set up by the system administrator.

If you forget your password, the system will present you with a security question. When you provide the answer, the system emails you instructions to reset your password.

To access the Change or Set Up Forgotten Password Help page, select My System Profile

Field or Control	Definition
Question	This field contains the security question set up by the administrator.
Response	Enter the answer to the question.

Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.

When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.

To access the Forgot My Password Email Text page select PeopleTools > Security > Password Configuration > Forgot My Password Email Text and click the Forgot My Password Email Text tab.

Add the following text string in the Email Text field:

<<%PASSWORD>>

The system inserts the new password here. The %PASSWORD variable resolves to the generated value.

Note: You might instruct the user to change the password to something easier to remember after they sign in to the system with the randomly generated password. Only users who have the Allow Password to be Emailed option enabled on the Permission List - General page can receive a new password using this feature.

For example:

Your new password is <<%PASSWORD>>.

To change this system-generated password, from the Main Menu click the Change Password link.

PeopleSoft if a user provides an incorrect response to a password hint question, the system can automatically send an email notification to the user that indicates that they provided an incorrect response.

Use the Incorrect Hint response Email Text page (EMAILHINTFAIL) to compose a generic message that the system sends to users if they enter an incorrect response to a password hint. To access the page select PeopleTools > Security > Password Configuration > Forgotten Password Email Text and click the Wrong Hint Response Email Text tab.

Enter any message that suits your business requirements. Keep in mind that the same message is sent to all users who provide an incorrect password hint response.

PeopleSoft recommends setting up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.

To set up a forgotten password site:

Set up a separate PeopleSoft Pure Internet Architecture site on your web server.
Set up a direct connection to the site, such as a link to it.
In the web profile, enable public access and specify a public user ID and password for automatic authentication.
This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.
Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.
Notify your user community of the link.

Note: The site should have this format: http://webserver/psp/sitename/portalname/localnodename/c/MAINTAIN_SECURITY .EMAIL_PSWD.GBL?

This section describes requesting new passwords.

Prerequisites for Requesting New Passwords

Before the system can email the user a new password, complete these tasks:

Create a forgotten password hint.
Specify an email address in the user profile.
Grant permission to have a new password emailed.

Note: The security administrator must select the Allow Password to be Emailed check box in at least one of the user's permission lists. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password.
Set up the Forgot My Password Email Text message to use when a user provides a valid user ID and valid response to a password question.
Set up the Incorrect Hint Response Email Text message to use when a user provides an incorrect response to a password question.

Specifying the User to Validate

Use the Forgot My Password page to specify the ID of the user to validate

To access the Forgot My Password page, click the Forgotten Password link on the PeopleSoft signon page or use a link as provided by the Security Administrator.

Forgot My Password page (Enter user ID to validate.)

To specify the user to validate:

In the User ID field enter the user name to validate.
Click the Continue button.

For security purposes no indication is provided if a user enters a correct user ID or an incorrect user ID. If an incorrect user ID is entered, a user is able to proceed in the process, but the password reset will not be successful.

At the end of the procedure the system displays a message advising users to contact their Security Administrator or System Administrator if the password reset is not successful and users who inadvertently entered an incorrect user ID may contact their administrator for assistance.

Entering Password Hint Responses

After you enter the user ID to validate on the Forgot My Password page, you are presented with a question to answer.

Forgot My Password page (Enter password hint response.)

After a user enters a response to the password question and clicks the Email New Password button, the system displays a confirmation that the password has been emailed to the primary email address defined for the user.

In the interest of security, the system does not provide feedback if a correct response is entered for the password question or if an incorrect response is entered.

If the user enters a valid user ID in the previous step and enters the correct response to the password question, a new password is emailed to the primary email account as defined in the user profile, provided that the administrator has satisfied the prerequisites described previously in this section.

If the Security Administrator has configured the Incorrect Hint Response Email Text message as described previously in this topic, at the end of the procedure the system sends an email to the address defined in the user profile providing information and instructions as determined by the administrator.

If the user did not enter a valid user ID in the previous step, he or she is able to enter a response to the password hint. However, no new password generation is performed.

To enter a password hint response:

In the Response field enter the answer to the question.
Click the Email New Password button.
The Password Emailed page appears.

Working With Passwords

Setting Password Controls

Password May Match

Requirements

Hint Responses

Password History

Purge User Profiles

Signon PeopleCode

Changing Passwords

Creating Hints for Forgotten Passwords

Deleting Hints for Forgotten Passwords

Defining Answers for Forgotten Password Hints

Creating Email Text for Forgotten Passwords

Creating Email Text for Incorrect Hint Responses

Setting Up the Site for Forgotten Passwords

Requesting New Passwords

Prerequisites for Requesting New Passwords

Specifying the User to Validate

Entering Password Hint Responses