Password policies are used to define are variety of parameters related to passwords including:
- Password composition
- Password expiration and re-use
- Challenge response behaviour in self service
Password policies in OpenIAM maybe associated at the following levels:
- Globally
- Security Domain
- User Type
A security domain is a logical construct that allows you to group a set of policies and managed systems together. Associating a password policy to a security domain may be desirable in enviornments where there several groups that have their own policies. An example of this a government organization that consists of several agencies. Each agency may maintain their own Active Directory, LDAP, etc systems have unique policies.
Defining a Password Policy
Follow the instructions defined in the Policy Management section to select Password Policy. Once in the Password Policy section, you will see the screen shown below. Fill in the various options on this screen to define your password policy. The fields on the screen are defined in the table below.
Policy Field |
Description |
|---|---|
Assigned to Policy Domain |
Assigns the policy to a security domain or makes the policy global is no security domain is selected. |
Password History Versions |
Indicates how many password changes the system should retain. When a defining a new password, it must be unique with in this list. For example, if the history is 6 levels deep, then the new password cannot be a value that was defined in this list. |
Password Expiration |
Number of days in which the password will expire |
Password Length |
The minimum and maximum length of the password |
Days to password expiration warning |
Number of days prior to password expiration that system should start to notify the user that their password is going to expire. This notification will be through the self service application. |
Numeric Characters |
Minimum and maximum number of numeric characters that a password must have |
Uppercase Characters |
Minimum and maximum number of upper case characters that a password must have |
Lowercase Characters |
Minimum and maximum number of lower case characters that a password must have |
Non-alpha numeric characters |
Minimum and maximum number of non-alpha numeric characters that a password must have. Non-alpha numeric characters are such as $,@, #,& etc. |
Number of consecutive characters |
Restricts the use of repeating characters. For example of value of 2 would prevent the user from entering a password containing "111", where as "11" would be allowed |
Reject Password = Login Id |
Rejects a password that is equal to the login Id (principal name) |
Reject Password = First Name / Last Name |
Rejects a password that is equal to either the First Name or Last Name. |
Reject Passwords that begin or end with a numeric character |
Rejects a password that begins or ends with a number |
Password to contain a numeric character at the following positions |
Requires that a password contain a number at a specific location in the string. |
Password to contain non-alpha numeric chars at the following positions |
Requires that a password contain a non-aphanumeric character at a specific location in the password string. |
|
|
Number of Questions Display |
Number of questions to display in the self service challenge response screen. The challenge response functionality allows users to identify themselves to the system to unlock their accounts and not have to call the help desk. |
New User Initial Password |
Password to assign to a new user. It can be:
|
Example
The following an example of a potential password policy and how it can be implemented in OpenIAM
- Must be a minimum of 8 characters in length.
- Must contain at least one numeric digit
- Must contain at least one upper case letter (A-Z).
- Evaluation of a password is case sensitive.
- Can NOT contain the User ID of the User Account.
- Can NOT contain the first name or last name of the User Account.
- Can NOT contain the word "password".
- Can NOT be equal to any of the User Account's previous 5 passwords.
- Password expires 90 days after it is created.
- Can be reset by the user.
- Can only be reset by a user once per day. An administrator can reset the password for the user an unlimited amount of times per day.