Working With Passwords
This section discusses how to:
Set password controls.
Change passwords.
Create hints for forgotten passwords.
Delete hints for forgotten passwords.
Define answers for forgotten password hints.
Create email text for forgotten passwords.
Create email text for incorrect hint responses.
Set up the site for forgotten passwords.
Request new passwords.
Access the Password Controls page (
).This example illustrates the fields and controls on the Password Controls page. You can find definitions for the fields and controls later on this page.

You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft databases.
Important! PeopleTools delivers the Password Controls page with a number of default field values. When you perform a standard database installation the default values are set. The default values are not automatically set during an upgrade.
The following tables describe the fields on the Password Controls page, including any default field values delivered. When you enable or specify values for these options, pages used to create or modify passwords will display statements describing the applicable policy details, as mentioned in the tables. For example, end users will see the Password Policy details when using Change My Password, and administrators will see them when configuring user profile attributes.
Signon PeopleCode
Field or Control |
Description |
---|---|
Enabled |
Select the box to enable the PeopleSoft Password Expiration and Account Lockout fields. By default this option is Enabled. You must restart the application server whenever you change this setting. You can extend or customize the controls by modifying the PeopleCode. |
Password Expiration |
Use the controls in this section to manage password expiration options.
PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only. A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to only the Change Password component (CHANGE_PASSWORD). For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list. Note: The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists. Note: The password expiration applies only to signing into the system through the PeopleSoft Pure Internet Architecture (PIA). When you log in to PeopleTools utilities such as Application Designer, Application Engine, or Data Mover, the password expiration control does not apply. For example, if you try to use an expired password to sign in to PIA, you will see an error message, but you can use the same password to sign into Application Designer. |
Account Lockout |
Failed Logons: Enter the maximum number of failed sign in attempts to allow before the system disables the user profile. The default value is 5. For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system. After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually. |
Password Policy
Use these fields to specify the number and types of characters that passwords must include. Passwords can include up to 64 characters.
Field or Control |
Description |
---|---|
Allow Spaces |
Select to allow spaces within passwords. Spaces are not allowed as the first or last character in passwords. There is further information about using spaces following this table. If this is enabled, the policy statement shown is "Password must not contain leading or trailing spaces." If this is not enabled, the policy statement shown is "Password must not contain spaces." |
Password May Match |
|
Minimums The default value is zero (0) for all. |
|
Password History
Field or Control |
Description |
---|---|
Passwords to Retain |
Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY). The default value is 0. If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password. When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password. |
Note: If the password history table contains values and you change the Passwords to Retain field value to 0, the system deletes the password history for all users.
Password Change
Field or Control |
Description |
---|---|
Allowed Every n Days |
Enter the number of days required before a password can be changed. This prevents multiple password changes in rapid succession. This option is not applicable to pages that require administrator access. The policy statement shown for non-zero values is "Password change allowed on or after <date>." |
Hint Responses
Field or Control |
Description |
---|---|
Seconds Delay Between |
The setting controls the length of time to wait between processing consecutive hint responses regardless if the response is correct. The default value is 0. |
Purge User Profiles
Field or Control |
Description |
---|---|
Days of Inactivity |
Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive. By default the field is blank. After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile. |
Characters Excluded from Randomly Generated Passwords
Enter up to 100 characters. You can enter alphanumeric or special characters. When the system generates a new password for users who have forgotten their password, these characters will not be used.
The list of characters you enter will be edited to remove duplicates, spaces, and irrelevant characters. Characters that are relevant for passwords are 0-9, a-z, A-Z, and certain special characters. Others, such as characters with special notation, Chinese, and Arabic, are considered irrelevant for this context.
The system prevents exclusion of all characters for which there is a required minimum.
Password Text Restrictions
Use these options to specify text that is prohibited from appearing in passwords.
Field or Control |
Description |
---|---|
Restrict Rule |
Select a rule to control how the restricted text can be used.
|
Restricted Text |
Enter any value up to 64 characters. |
Password OPRID Property Restrictions
Use these options to prevent user ID (OPRID) attributes from appearing in passwords.
Note: These restrictions may not be applicable when creating a new user profile or copying a user profile.
Field or Control |
Description |
---|---|
Restrict Rule |
Select a rule to prevent the use of the OPRID attribute in passwords.
|
Record Name |
Select a record or view that has OPRID as the only key. |
Field Name |
Select any field within the selected record or view that is a character field with 64 characters or less. This option is available after you select the Record Name. |
Field Label ID |
Select the Field Label ID corresponding to the text to be prohibited. |
Long Label |
After you select the Field Label ID, the Long Label text is displayed. This text will be displayed on the list of password policies, for example on the Change Password page. |
Access the Change My Password page (select Change My Password from the NavBar menu). The PeopleSoft system enables users to change their passwords as needed.
This example illustrates the fields and controls on the Change Password page.

To change a PeopleSoft password:
From the homepage, click Change My Password.
On the Change Password page, enter the current password in the Current Password field.
In the New Password field, enter a new password.
The page displays the password policy set by the administrator.
Confirm the new password by entering it again in the Confirm Password field.
Click Change Password.
Note: For troubleshooting, the administrator may check the entered values and so on through the PeopleCode that supports the page.
Set up hints and email text to allow end users who forget their passwords to request new, randomly generated passwords.
This setup assumes that the system is configured to send emails to end users. To allow users to request new passwords, the security administrator fulfills these requirements:
Configures the requirements for the replacements passwords.
For example, specify the length and allowed characters. See Setting Password Controls
Specifies an email address on the user profile.
On the User Profile - General page, select Edit Email Addresses and add a valid email address. See Setting General User Profile Attributes.
Allows emails on one of the end user's permission lists.
On the Permission Lists - General page, select the option Allow User ID/Password to be Emailed. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password. See Setting General Permissions.
Creates security questions (hints) that the end user must answer to continue with the email request.
Composes text for the email to send to end users who provide a valid user ID and answer the security question correctly.
Composes text for the email to send to end users who do not answer the security question correctly.
Sets up a web site for the end user request a replacement password.
When the prerequisite setup is complete, the end user who needs a new password:
Chooses a security question and supplies an answer.
The Change or Set Up Forgotten Password Help page is where users select the security question and enter their answer into the system. See Defining Answers for Forgotten Password Hints.
Accesses the forgotten password page and enters their user ID.
Answers the security question.
Use the Forgot My Password Hint page to define questions for users to answer as a means to authenticate themselves if they forget their password.
The security administrator sets up multiple questions, but users can only select one question to answer.
To access the Forgot My Password Hint page (PSPSWDHINT) select
.This example illustrates the fields and controls on the Forgot My Password Hint page.

With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.
To create a forgotten password hint:
Click Add a New Value.
On the Add a New Value page, enter a three-character ID in the Password Hint ID field.
Click Add.
Select the Active check box.
In the Question field, enter the question to use as a password hint.
Click the Save button.
To delete a password hint:
Select
Enter the specific code for the hint or perform a search for it.
On the Delete Forgot My Password Hint page, select the appropriate hint.
Click Delete.
Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.
When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.
To access the Forgot My Password Email Text page select
and click the Forgot My Password Email Text tab.This example illustrates the fields and controls on the Forgot My Password Email Text page.

For information on the rich text editor interface, see Working With Rich Text Editor Fields.
Add the following text string in the Email Text field:
<<%PASSWORD>>
The system inserts the new password here. The %PASSWORD variable resolves to the generated value.
Note: You might instruct the user to change the password to something easier to remember after they sign in to the system with the randomly generated password. Only users who have the Allow User ID/Password to be Emailed option enabled on the Permission List - General page can receive a new password using this feature.
For example:
Your new password is <<%PASSWORD>>.
To change this system-generated password, from the Main Menu click the Change Password link.
If a user provides an incorrect response to a password hint question, the system can automatically send an email notification to the user that indicates that they provided an incorrect response.
Use the Incorrect Hint Response Email Text page (EMAILHINTFAIL) to compose a generic message that the system sends to users if they enter an incorrect response to a password hint. To access the page select
and click the Wrong Hint Response Email Text tab.This example illustrates the fields and controls on the Incorrect Hint Response Email Text page.

Enter any message that suits your business requirements. Keep in mind that the same message is sent to all users who provide an incorrect password hint response.
You can change the delay between the processing of hint responses on the Password Controls page in the Seconds Delay Between field. See Setting Password Controls.
For information on the rich text editor interface, see Working With Rich Text Editor Fields.
PeopleSoft recommends that the security administrator sets up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.
To set up a forgotten password site:
Set up a separate PeopleSoft Pure Internet Architecture site on your web server.
Set up a direct connection to the site, such as a link to it.
In the web profile, enable public access and specify a public user ID and password for automatic authentication.
This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.
Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.
Notify your user community of the link.
Note: The URL for the site should have this format: http://<webserver>/psp/<sitename>/<portalname>/<localnodename>/c/MAINTAIN_SECURITY.EMAIL_PSWD.GBL?
Note: You may want to use the same site for forgotten user IDs and forgotten passwords.
End users can use the Change or Set Up Forgotten Password Help page (USER_PSWDHINT) to define an answer to a predefined password hint question set up by the system administrator.
If you forget your password, the system will present you with a security question. When you provide the answer, the system emails you instructions to reset your password.
Select My System Profile from the NavBar menu and click the link Change or set up forgotten password help.
See Setting Up Your System Profile.
This example illustrates the fields and controls on the Change or set up forgotten password help page.

Field or Control |
Description |
---|---|
Question |
This field contains the security question set up by the administrator. |
Response |
Enter the answer to the question. |
This section describes how an end user requests new passwords.
Prerequisites for Requesting New Passwords
Before the system can email the user a new password, the security administration must complete the requirements in Implementing Forgotten Password Emails.
Specifying the User to Validate
Use the Forgotten Password page to specify the ID of the user to validate.
To access the Forgotten Password page, click the Forgotten Password link on the PeopleSoft signon page or use a link as provided by the security administrator.
In the User ID field enter the user name to validate.
This example illustrates the fields and controls on the Forgotten Password page.
Click the Continue button.
For security purposes no indication is provided if a user enters a correct user ID or an incorrect user ID. If an incorrect user ID is entered, a user is able to proceed in the process, but the password reset will not be successful.
At the end of the procedure the system displays a message advising users to contact their security administrator or system administrator if the password reset is not successful, and users who inadvertently entered an incorrect user ID may contact their administrator for assistance.
Entering Password Hint Responses
After you enter the user ID to validate on the Forgotten Password page, you are presented with a question to answer.
In the Response field enter the answer to the question.
This example illustrates the fields and controls on the Security Question page.
Click the Generate/Email New Password button.
The Email Confirm page appears with a message that the password has been emailed to the primary email address defined for the user.
This example illustrates the Email Confirm page.
In the interest of security, the system does not provide feedback if a correct response is entered for the password question or if an incorrect response is entered.
If the user enters a valid user ID in the previous step and enters the correct response to the password question, a new password is emailed to the primary email account as defined in the user profile, provided that the administrator has satisfied the prerequisites described previously in this section.
If the security administrator has configured the Incorrect Hint Response Email Text message as described previously in this topic, at the end of the procedure the system sends an email to the address defined in the user profile providing information and instructions as determined by the administrator.
If the user did not enter a valid user ID in the previous step, he or she is able to enter a response to the password hint. However, no new password generation is performed.