Working With Passwords

Access the Password Controls page (PeopleTools > Security > Password Configuration > Set Password Controls).

You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft databases.

Important! PeopleTools delivers the Password Controls page with a number of default field values. When you perform a standard database installation the default values are set. The default values are not automatically set during an upgrade.

The following tables describe the fields on the Password Controls page, including any default field values delivered. When you enable or specify values for these options, pages used to create or modify passwords will display statements describing the applicable policy details, as mentioned in the tables. For example, end users will see the Password Policy details when using Change My Password, and administrators will see them when configuring user profile attributes.

Signon PeopleCode

Field or Control	Description
Enabled	Select the box to enable the PeopleSoft Password Expiration and Account Lockout fields. By default this option is Enabled. You must restart the application server whenever you change this setting. You can extend or customize the controls by modifying the PeopleCode.
Password Expiration	Use the controls in this section to manage password expiration options. Never Expires: Select to disable password expiration options for all users. Expires In: (Default) Select to set password expiration options for all users. If an expiration date is set, the policy statement is "Password set to Expire on <date>." Days: You must enter a value between 1 and 365 in the Days field to specify the number of days that a password is valid. The default value is 180 days. Users signing on after a password expires must change their password to sign in. You must select a warning option. Without Warning: (Default) Select to disable notification of impending password expiration. Warn For: Select to enable notification of impending password expiration. The value that you enter in the Days field determines when the system begins notifying users of impending password expiration. The default value is 5. PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only. A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list. Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists. Note: The password expiration applies only to signing into the system through the PeopleSoft Pure Internet Architecture (PIA). When you log in to PeopleTools utilities such as Application Designer, Application Engine, or Data Mover, the password expiration control does not apply. For example, if you try to use an expired password to sign in to PIA, you will see an error message, but you can use the same password to sign into Application Designer.
Account Lockout	Failed Logons: Enter the maximum number of failed sign in attempts to allow before the system disables the user profile. The default value is 5. For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system. After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Field or Control

Description

Enabled

Select the box to enable the PeopleSoft Password Expiration and Account Lockout fields.

By default this option is Enabled.

You must restart the application server whenever you change this setting.

You can extend or customize the controls by modifying the PeopleCode.

Password Expiration

Use the controls in this section to manage password expiration options.

Never Expires: Select to disable password expiration options for all users.
Expires In: (Default) Select to set password expiration options for all users.
If an expiration date is set, the policy statement is "Password set to Expire on <date>."
- Days: You must enter a value between 1 and 365 in the Days field to specify the number of days that a password is valid.
  The default value is 180 days.
  Users signing on after a password expires must change their password to sign in.
  You must select a warning option.
- Without Warning: (Default) Select to disable notification of impending password expiration.
- Warn For: Select to enable notification of impending password expiration.
  The value that you enter in the Days field determines when the system begins notifying users of impending password expiration.
  The default value is 5.

PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only.

A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list.

Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists.

Note: The password expiration applies only to signing into the system through the PeopleSoft Pure Internet Architecture (PIA). When you log in to PeopleTools utilities such as Application Designer, Application Engine, or Data Mover, the password expiration control does not apply. For example, if you try to use an expired password to sign in to PIA, you will see an error message, but you can use the same password to sign into Application Designer.

Account Lockout

Failed Logons: Enter the maximum number of failed sign in attempts to allow before the system disables the user profile.

The default value is 5.

For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system.

After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Password Policy

Use these fields to specify the number and types of characters that passwords must include. Passwords can include up to 64 characters.

Field or Control	Description
Allow Spaces	Select to allow spaces within passwords. Spaces are not allowed as the first or last character in passwords. There is further information about using spaces following this table. If this is enabled, the policy statement shown is "Password must not contain leading or trailing spaces." If this is not enabled, the policy statement shown is "Password must not contain spaces."
Password May Match	User ID — Select to enable users to use their own user ID as a password. If this is not enabled, the policy statement shown is "Password must not equal User ID." Primary Email — Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password. If this is not enabled, the policy statement shown is "Password must not be equal to Primary Email address."
Minimums The default value is zero (0) for all.	Length — Enter the minimum number of characters (n) that the password must include. The policy statement is "Password must be at least n characters long." Specials — Enter the minimum number of special characters, such as ampersand (&) or percent sign (%) that the password must include. All special characters are allowed. The policy statement is "Password must contain at least n special characters." Digits — Enter the minimum number of integers, such as 1 or 2, that the password must include. The policy statement is "Password must contain at least n digits." Lower Case — Enter the minimum number of minuscule letters (such as "q" or "i") that the password must include. The policy statement is "Password must contain at least n lower case alphabets." Upper Case — Enter the minimum number of majuscule letters (such as "Q" or "I") that the password must include. The policy statement is "Password must contain at least n upper case alphabets." Unique — Specify the minimum number of unique characters required, to prevent passwords such as AAAAAA. The policy statement is "Password must contain at least n unique characters." Different from Last — Enter the minimum number of differences from the previous password that is required. This option does not apply to Administrator pages. The policy statement is "Password must contain at least n characters different from current password."

Field or Control

Description

Allow Spaces

Select to allow spaces within passwords. Spaces are not allowed as the first or last character in passwords. There is further information about using spaces following this table.

If this is enabled, the policy statement shown is "Password must not contain leading or trailing spaces."

If this is not enabled, the policy statement shown is "Password must not contain spaces."

Password May Match

User ID — Select to enable users to use their own user ID as a password.
If this is not enabled, the policy statement shown is "Password must not equal User ID."
Primary Email — Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password.
If this is not enabled, the policy statement shown is "Password must not be equal to Primary Email address."

Minimums

The default value is zero (0) for all.

Length — Enter the minimum number of characters (n) that the password must include.
The policy statement is "Password must be at least n characters long."
Specials — Enter the minimum number of special characters, such as ampersand (&) or percent sign (%) that the password must include. All special characters are allowed.
The policy statement is "Password must contain at least n special characters."
Digits — Enter the minimum number of integers, such as 1 or 2, that the password must include.
The policy statement is "Password must contain at least n digits."
Lower Case — Enter the minimum number of minuscule letters (such as "q" or "i") that the password must include.
The policy statement is "Password must contain at least n lower case alphabets."
Upper Case — Enter the minimum number of majuscule letters (such as "Q" or "I") that the password must include.
The policy statement is "Password must contain at least n upper case alphabets."
Unique — Specify the minimum number of unique characters required, to prevent passwords such as AAAAAA.
The policy statement is "Password must contain at least n unique characters."
Different from Last — Enter the minimum number of differences from the previous password that is required. This option does not apply to Administrator pages.
The policy statement is "Password must contain at least n characters different from current password."

Password History

Field or Control	Description
Passwords to Retain	Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY). The default value is 0. If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password. When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password.

Field or Control

Description

Passwords to Retain

Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY).

The default value is 0.

If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password.

When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password.

Note: If the password history table contains values and you change the Passwords to Retain field value to 0, the system deletes the password history for all users.

Password Change

Field or Control	Description
Allowed Every n Days	Enter the number of days required before a password can be changed. This prevents multiple password changes in rapid succession. This option is not applicable to pages that require administrator access. The policy statement shown for non-zero values is "Password change allowed on or after <date>."

Field or Control

Description

Allowed Every n Days

Enter the number of days required before a password can be changed. This prevents multiple password changes in rapid succession.

This option is not applicable to pages that require administrator access.

The policy statement shown for non-zero values is "Password change allowed on or after <date>."

Hint Responses

Field or Control	Description
Seconds Delay Between	The setting controls the length of time to wait between processing consecutive hint responses regardless if the response is correct. The default value is 0.

Field or Control

Description

Seconds Delay Between

The setting controls the length of time to wait between processing consecutive hint responses regardless if the response is correct.

The default value is 0.

Purge User Profiles

Field or Control	Description
Days of Inactivity	Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive. By default the field is blank. After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

Field or Control

Description

Days of Inactivity

Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive.

By default the field is blank.

After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process.

If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

Characters Excluded from Randomly Generated Passwords

Enter up to 100 characters. You can enter alphanumeric or special characters. When the system generates a new password for users who have forgotten their password, these characters will not be used.

The list of characters you enter will be edited to remove duplicates, spaces, and irrelevant characters. Characters that are relevant for passwords are 0-9, a-z, A-Z, and certain special characters. Others, such as characters with special notation, Chinese, and Arabic, are considered irrelevant for this context.

The system prevents exclusion of all characters for which there is a required minimum.

Password Text Restrictions

Use these options to specify text that is prohibited from appearing in passwords.

Field or Control	Description
Restrict Rule	Select a rule to control how the restricted text can be used. Contains — The password cannot include the restricted text. The policy statement is "Password must not contain: <restricted text>." Begins with — The password cannot begin with the restricted text. The policy statement is "Password must not begin with: <restricted text>." Equals — The password cannot be the same as the restricted text. The policy statement is "Password must not equal: <restricted text>."
Restricted Text	Enter any value up to 64 characters.

Field or Control

Description

Restrict Rule

Select a rule to control how the restricted text can be used.

Contains — The password cannot include the restricted text.
The policy statement is "Password must not contain: <restricted text>."
Begins with — The password cannot begin with the restricted text.
The policy statement is "Password must not begin with: <restricted text>."
Equals — The password cannot be the same as the restricted text.
The policy statement is "Password must not equal: <restricted text>."

Restricted Text

Enter any value up to 64 characters.

Password OPRID Property Restrictions

Use these options to prevent user ID (OPRID) attributes from appearing in passwords.

Note: These restrictions may not be applicable when creating a new user profile or copying a user profile.

Field or Control	Description
Restrict Rule	Select a rule to prevent the use of the OPRID attribute in passwords. Contains — The password cannot include the text specified by the corresponding OPRID attributes. The policy statement is "Password must not contain: <OPRID attribute>." Begins with — The password cannot begin with the text specified by the corresponding OPRID attributes. The policy statement is "Password must not begin with: <OPRID attribute>." Equals — The password cannot be the same as the text specified by the corresponding OPRID attributes. The policy statement is "Password must not equal: <OPRID attribute>."
Record Name	Select a record or view that has OPRID as the only key.
Field Name	Select any field within the selected record or view that is a character field with 64 characters or less. This option is available after you select the Record Name.
Field Label ID	Select the Field Label ID corresponding to the text to be prohibited.
Long Label	After you select the Field Label ID, the Long Label text is displayed. This text will be displayed on the list of password policies, for example on the Change Password page.

Access the Change My Password page (select Change My Password from the NavBar menu). The PeopleSoft system enables users to change their passwords as needed.

To change a PeopleSoft password:

From the homepage, click Change My Password.
On the Change Password page, enter the current password in the Current Password field.
In the New Password field, enter a new password.
The page displays the password policy set by the administrator.
Confirm the new password by entering it again in the Confirm Password field.
Click Change Password.

Note: For troubleshooting, the administrator may check the entered values and so on through the PeopleCode that supports the page.

Set up hints and email text to allow end users who forget their passwords to request new, randomly generated passwords.

This setup assumes that the system is configured to send emails to end users. To allow users to request new passwords, the security administrator fulfills these requirements:

Configures the requirements for the replacements passwords.
For example, specify the length and allowed characters. See Setting Password Controls
Specifies an email address on the user profile.
On the User Profile - General page, select Edit Email Addresses and add a valid email address. See Setting General User Profile Attributes.
Allows emails on one of the end user's permission lists.
On the Permission Lists - General page, select the option Allow User ID/Password to be Emailed. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password. See Setting General Permissions.
Creates security questions (hints) that the end user must answer to continue with the email request.
See Creating Hints for Forgotten Passwords.
Composes text for the email to send to end users who provide a valid user ID and answer the security question correctly.
See Creating Email Text for Forgotten Passwords.
Composes text for the email to send to end users who do not answer the security question correctly.
See Creating Email Text for Incorrect Hint Responses.
Sets up a web site for the end user request a replacement password.
See Setting Up the Site for Forgotten Passwords.

When the prerequisite setup is complete, the end user who needs a new password:

Chooses a security question and supplies an answer.
The Change or Set Up Forgotten Password Help page is where users select the security question and enter their answer into the system. See Defining Answers for Forgotten Password Hints.
Accesses the forgotten password page and enters their user ID.
Answers the security question.
See Requesting New Passwords

Use the Forgot My Password Hint page to define questions for users to answer as a means to authenticate themselves if they forget their password.

The security administrator sets up multiple questions, but users can only select one question to answer.

To access the Forgot My Password Hint page (PSPSWDHINT) select PeopleTools > Security > Password Configuration > Forgotten Password Hints.

With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.

To create a forgotten password hint:

Click Add a New Value.
On the Add a New Value page, enter a three-character ID in the Password Hint ID field.
Click Add.
Select the Active check box.
In the Question field, enter the question to use as a password hint.
Click the Save button.

To delete a password hint:

Select PeopleTools > Security > User Profiles > Delete Forgotten Password Hint.
Enter the specific code for the hint or perform a search for it.
On the Delete Forgot My Password Hint page, select the appropriate hint.
Click Delete.

Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.

When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.

To access the Forgot My Password Email Text page select PeopleTools > Security > Password Configuration > Forgot My Password Email Text and click the Forgot My Password Email Text tab.

For information on the rich text editor interface, see Working With Rich Text Editor Fields.

Add the following text string in the Email Text field:

<<%PASSWORD>>

The system inserts the new password here. The %PASSWORD variable resolves to the generated value.

Note: You might instruct the user to change the password to something easier to remember after they sign in to the system with the randomly generated password. Only users who have the Allow User ID/Password to be Emailed option enabled on the Permission List - General page can receive a new password using this feature.

For example:

Your new password is <<%PASSWORD>>.

To change this system-generated password, from the Main Menu click the Change Password link.

If a user provides an incorrect response to a password hint question, the system can automatically send an email notification to the user that indicates that they provided an incorrect response.

Use the Incorrect Hint Response Email Text page (EMAILHINTFAIL) to compose a generic message that the system sends to users if they enter an incorrect response to a password hint. To access the page select PeopleTools > Security > Password Configuration > Forgotten Password Email Text and click the Wrong Hint Response Email Text tab.

Enter any message that suits your business requirements. Keep in mind that the same message is sent to all users who provide an incorrect password hint response.

You can change the delay between the processing of hint responses on the Password Controls page in the Seconds Delay Between field. See Setting Password Controls.

For information on the rich text editor interface, see Working With Rich Text Editor Fields.

PeopleSoft recommends that the security administrator sets up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.

To set up a forgotten password site:

Set up a separate PeopleSoft Pure Internet Architecture site on your web server.
Set up a direct connection to the site, such as a link to it.
In the web profile, enable public access and specify a public user ID and password for automatic authentication.
This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.
Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.
Notify your user community of the link.

Note: The URL for the site should have this format: http://<webserver>/psp/<sitename>/<portalname>/<localnodename>/c/MAINTAIN_SECURITY.EMAIL_PSWD.GBL?

Note: You may want to use the same site for forgotten user IDs and forgotten passwords.

End users can use the Change or Set Up Forgotten Password Help page (USER_PSWDHINT) to define an answer to a predefined password hint question set up by the system administrator.

If you forget your password, the system will present you with a security question. When you provide the answer, the system emails you instructions to reset your password.

Select My System Profile from the NavBar menu and click the link Change or set up forgotten password help.

See Setting Up Your System Profile.

Change or set up forgotten password help page

Field or Control	Description
Question	This field contains the security question set up by the administrator.
Response	Enter the answer to the question.

This section describes how an end user requests new passwords.

Prerequisites for Requesting New Passwords

Before the system can email the user a new password, the security administration must complete the requirements in Implementing Forgotten Password Emails.

Specifying the User to Validate

Use the Forgotten Password page to specify the ID of the user to validate.

To access the Forgotten Password page, click the Forgotten Password link on the PeopleSoft signon page or use a link as provided by the security administrator.
In the User ID field enter the user name to validate.
This example illustrates the fields and controls on the Forgotten Password page.
Click the Continue button.
For security purposes no indication is provided if a user enters a correct user ID or an incorrect user ID. If an incorrect user ID is entered, a user is able to proceed in the process, but the password reset will not be successful.
At the end of the procedure the system displays a message advising users to contact their security administrator or system administrator if the password reset is not successful, and users who inadvertently entered an incorrect user ID may contact their administrator for assistance.

Entering Password Hint Responses

After you enter the user ID to validate on the Forgotten Password page, you are presented with a question to answer.

In the Response field enter the answer to the question.
This example illustrates the fields and controls on the Security Question page.
Click the Generate/Email New Password button.
The Email Confirm page appears with a message that the password has been emailed to the primary email address defined for the user.
This example illustrates the Email Confirm page.

In the interest of security, the system does not provide feedback if a correct response is entered for the password question or if an incorrect response is entered.

If the user enters a valid user ID in the previous step and enters the correct response to the password question, a new password is emailed to the primary email account as defined in the user profile, provided that the administrator has satisfied the prerequisites described previously in this section.

If the security administrator has configured the Incorrect Hint Response Email Text message as described previously in this topic, at the end of the procedure the system sends an email to the address defined in the user profile providing information and instructions as determined by the administrator.

If the user did not enter a valid user ID in the previous step, he or she is able to enter a response to the password hint. However, no new password generation is performed.

Working With Passwords

Setting Password Controls

Signon PeopleCode

Password Policy

Password History

Password Change

Hint Responses

Purge User Profiles

Characters Excluded from Randomly Generated Passwords

Password Text Restrictions

Password OPRID Property Restrictions

Changing Passwords

Implementing Forgotten Password Emails

Creating Hints for Forgotten Passwords

Deleting Hints for Forgotten Passwords

Creating Email Text for Forgotten Passwords

Creating Email Text for Incorrect Hint Responses

Setting Up the Site for Forgotten Passwords

Defining Answers for Forgotten Password Hints

Requesting New Passwords

Prerequisites for Requesting New Passwords

Specifying the User to Validate

Entering Password Hint Responses