Working With Passwords

Access the Password Controls page (PeopleTools > Security > Password Configuration > Set Password Controls).

This example illustrates the fields and controls on the Password Controls page. You can find definitions for the fields and controls later on this page.

You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft databases.

The following tables described the fields on the Password Controls page, including any default field values delivered.

Password May Match

Field or Control	Description
User ID	Select to enable users to use their own user ID as a password. By default the control is not selected and users cannot use their user ID as a password.
Primary Email	Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password. By default the control is not selected and users cannot use their email address as a password.

Note: Clearing these controls helps you prevent hackers from guessing passwords based on a list of employee names.

Requirements

Use these fields to specify the number and types of characters that passwords must include. Passwords can include up to 64 characters.

Field or Control	Description
Minimum Length	Enter the value that determines the fewest number of characters that a user must enter when creating his password. The default value is 8 characters. If the minimum length is set to 0, then the PeopleSoft password controls do not enforce a minimum length on the password; however, the password cannot be blank. When you create a new user or a user changes a password, the system checks this value. If it is not zero, then the system tests the password to ensure it meets length requirements and if it does not, an error message appears.
Specials	Enter the required number of special characters that the password must include. All special characters are allowed, but spaces are not allowed in the password. The default value is 0.
Digits	Enter the required number of integers, such as 1 or 2, that the password must include. The default value is 0.
Lower Case	Enter the required number of minuscule letters (such as "q" or "i") that the password must include. The default value is 0.
Upper Case	Enter the required number of majuscule letters (such as "Q" or "I") that the password must include. The default value is 0.

By default, leading, intermediate, and trailing white spaces are not supported in PeopleSoft passwords. If your security policy requires that you allow intermediate white spaces, you must comment out the following USERMAINT.GBL.PSOPRDEFN.SaveEdit Component PeopleCode:

&find = Find(" ", PSOPRDEFN.OPRID); If &find > 0 Then Error MsgGet(48, 14, "Message not found."); End-If;

Warning! When these statements are commented out, users can include intermediate white spaces in passwords. Although you can use the preceding PeopleCode modification as a workaround, it is strongly recommended that you not do so. This modification can cause unexpected behaviors that are problematic for batch processes, upgrades, application server configuration files, and two-tier applications, such as PeopleSoft Application Designer, Data Mover, Application Engine.

Hint Responses

Field or Control	Description
Seconds Delay Between	The setting controls the length of time to wait between processing consecutive hint responses regardless if the response is correct. The default value is 0.

Password History

Field or Control

Description

Passwords to Retain

Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY). The default value is 0. If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password. When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password.

Note: If the password history table contains values and you change the Passwords to Retain field value to 0, the system deletes the password history for all users.

Purge User Profiles

Field or Control

Description

Days of Inactivity

Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive. By default the field is blank. After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

Signon PeopleCode

Field or Control	Description
Enabled	Select the box to enable the PeopleSoft Password Expiration and Account Lockout fields. By default this option is Enabled. You must restart the application server whenever you change this setting. You can extend or customize the controls by modifying the PeopleCode.
Password Expiration	Use the controls in this section to manage password expiration options: Never Expires: Select to disable password expiration options for all users. Expires In: (Default) Select to set password expiration options for all users. Days: You must enter a value between 1 and 365 in the Days field to specify the number of days that a password is valid. The default value is 180 days. Users signing on after a password expires must change their password to sign in. You must select a warning option. Without Warning: (Default) Select to disable notification of impending password expiration. Warn For: Select to enable notification of impending password expiration. The value that you enter in the Days field determines when the system begins notifying users of impending password expiration. The default value is 5. PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only. A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list. Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists. Note: The password expiration applies only to signing into the system through the PeopleSoft Pure Internet Architecture (PIA). When you log in to PeopleTools utilities such as Application Designer, Application Engine, or Data Mover, the password expiration control does not apply. For example, if you try to use an expired password to sign in to PIA, you will see an error message, but you can use the same password to sign into Application Designer.
Account Lockout	Failed Logons: Enter the maximum number of failed sign in attempts to allow before the system disables the user profile. The default value is 5. For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system. After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Characters Excluded from Randomly Generated Passwords

Enter up to 100 characters. You can enter alphanumeric or special characters. When the system generates a new password for users who have forgotten their password, these characters will not be used.

The list of characters you enter will be edited to remove duplicates, spaces, and irrelevant characters. Characters that are relevant for passwords are 0-9, a-z, A-Z, and certain special characters. Others, such as characters with special notation, Chinese, and Arabic, are considered irrelevant for this context.

The system prevents exclusion of all characters for which there is a required minimum.

Access the Change My Password page (select Change My Password from the NavBar menu). The PeopleSoft system enables users to change their passwords as needed.

This example illustrates the fields and controls on the Change Password page.

To change a PeopleSoft password:

1. From the homepage, click Change My Password.

2. On the Change Password page, enter the current password in the Current Password field.

3. In the New Password field, enter a new password.

4. Confirm the new password by entering it again in the Confirm Password field.

5. Click Change Password.

Set up hints and email text to allow end users who forget their passwords to request new, randomly generated passwords.

This setup assumes that the system is configured to send emails to end users. To allow users to request new passwords, the security administrator fulfills these requirements:

1. Configures the requirements for the replacements passwords.

   For example, specify the length and allowed characters. See Setting Password Controls.

2. Specifies an email address on the user profile.

   On the User Profile - General page, select Edit Email Addresses and add a valid email address. See Setting General User Profile Attributes.

3. Allows emails on one of the end user's permission lists.

   On the Permission Lists - General page, select the option Allow User ID/Password to be Emailed. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password. See Setting General Permissions.

4. Creates security questions (hints) that the end user must answer to continue with the email request.

   See Creating Hints for Forgotten Passwords.

5. Composes text for the email to send to end users who provide a valid user ID and answer the security question correctly.

   See Creating Email Text for Forgotten Passwords.

6. Composes text for the email to send to end users who do not answer the security question correctly.

   See Creating Email Text for Incorrect Hint Responses.

7. Sets up a web site for the end user request a replacement password.

   See Setting Up the Site for Forgotten Passwords.

When the prerequisite setup is complete, the end user who needs a new password:

1. Chooses a security question and supplies an answer.

   The Change or Set Up Forgotten Password Help page is where users select the security question and enter their answer into the system. See Defining Answers for Forgotten Password Hints.

2. Accesses the forgotten password page and enters their user ID.

3. Answers the security question.

   See Requesting New Passwords

Use the Forgot My Password Hint page to define questions for users to answer as a means to authenticate themselves if they forget their password.

The security administrator sets up multiple questions, but users can only select one question to answer.

To access the Forgot My Password Hint page (PSPSWDHINT) select PeopleTools > Security > Password Configuration > Forgotten Password Hints.

This example illustrates the fields and controls on the Forgot My Password Hint page.

With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.

To create a forgotten password hint:

1. Click Add a New Value.

2. On the Add a New Value page, enter a three-character ID in the Password Hint ID field.

3. Click Add.

4. Select the Active check box.

5. In the Question field, enter the question to use as a password hint.

6. Click the Save button.

To delete a password hint:

1. Select PeopleTools > Security > User Profiles > Delete Forgotten Password Hint.

2. Enter the specific code for the hint or perform a search for it.

3. On the Delete Forgot My Password Hint page, select the appropriate hint.

4. Click Delete.

Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.

When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.

To access the Forgot My Password Email Text page select PeopleTools > Security > Password Configuration > Forgot My Password Email Text and click the Forgot My Password Email Text tab.

This example illustrates the fields and controls on the Forgot My Password Email Text page.

For information on the rich text editor interface, see Working With Rich Text Editor Fields.

Add the following text string in the Email Text field:

<<%PASSWORD>>

The system inserts the new password here. The %PASSWORD variable resolves to the generated value.

For example:

Your new password is <<%PASSWORD>>.

To change this system-generated password, from the Main Menu click the Change Password link.

If a user provides an incorrect response to a password hint question, the system can automatically send an email notification to the user that indicates that they provided an incorrect response.

Use the Incorrect Hint Response Email Text page (EMAILHINTFAIL) to compose a generic message that the system sends to users if they enter an incorrect response to a password hint. To access the page select PeopleTools > Security > Password Configuration > Forgotten Password Email Text and click the Wrong Hint Response Email Text tab.

This example illustrates the fields and controls on the Incorrect Hint Response Email Text page.

Enter any message that suits your business requirements. Keep in mind that the same message is sent to all users who provide an incorrect password hint response.

You can change the delay between the processing of hint responses on the Password Controls page in the Seconds Delay Between field. See Setting Password Controls.

For information on the rich text editor interface, see Working With Rich Text Editor Fields.

PeopleSoft recommends that the security administrator sets up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.

To set up a forgotten password site:

1. Set up a separate PeopleSoft Pure Internet Architecture site on your web server.

2. Set up a direct connection to the site, such as a link to it.

3. In the web profile, enable public access and specify a public user ID and password for automatic authentication.

   This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.

4. Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.

5. Notify your user community of the link.

End users can use the Change or Set Up Forgotten Password Help page (USER_PSWDHINT) to define an answer to a predefined password hint question set up by the system administrator.

If you forget your password, the system will present you with a security question. When you provide the answer, the system emails you instructions to reset your password.

Select My System Profile from the NavBar menu and click the link Change or set up forgotten password help.

See Setting Up Your System Profile.

This example illustrates the fields and controls on the Change or set up forgotten password help page.

This section describes how an end user requests new passwords.

Prerequisites for Requesting New Passwords

Before the system can email the user a new password, the security administration must complete the requirements in Implementing Forgotten Password Emails.

Specifying the User to Validate

Use the Forgot My Password page to specify the ID of the user to validate

To access the Forgot My Password page, click the Forgotten Password link on the PeopleSoft signon page or use a link as provided by the security administrator.

This example illustrates the fields and controls on the Forgotten Password page.

To specify the user to validate:

1. In the User ID field enter the user name to validate.

2. Click the Continue button.

For security purposes no indication is provided if a user enters a correct user ID or an incorrect user ID. If an incorrect user ID is entered, a user is able to proceed in the process, but the password reset will not be successful.

At the end of the procedure the system displays a message advising users to contact their security administrator or system administrator if the password reset is not successful, and users who inadvertently entered an incorrect user ID may contact their administrator for assistance.

Entering Password Hint Responses

After you enter the user ID to validate on the Forgot My Password page, you are presented with a question to answer.

This example illustrates the fields and controls on the Security Question page.

After a user enters a response to the password question and clicks the Email New Password button, the system displays a confirmation that the password has been emailed to the primary email address defined for the user.

This example illustrates the Email Confirmation page.

In the interest of security, the system does not provide feedback if a correct response is entered for the password question or if an incorrect response is entered.

If the user enters a valid user ID in the previous step and enters the correct response to the password question, a new password is emailed to the primary email account as defined in the user profile, provided that the administrator has satisfied the prerequisites described previously in this section.

If the security administrator has configured the Incorrect Hint Response Email Text message as described previously in this topic, at the end of the procedure the system sends an email to the address defined in the user profile providing information and instructions as determined by the administrator.

If the user did not enter a valid user ID in the previous step, he or she is able to enter a response to the password hint. However, no new password generation is performed.

To enter a password hint response:

1. In the Response field enter the answer to the question.

2. Click the Email New Password button.

   The Password Emailed page appears.