Password Policy

The password policy controls the following:

  • Password composition.
  • Frequency of change.
  • SelfService forgot password configuration.

The sections below describe how to configure the password policy. To access the password policy configuration page, go to Policy > Password Policy. If you are new to OpenIAM, start by configuring the existing Default Password Policy instead of creating a new one.

Password Policy Overview

The general data of the password policy contains the following fields:

  • Name
  • Description
  • Priority: A numeric value representing the priority of this policy. A higher number indicates a higher priority over policies with a lower number.
  • Active/Not Active flag: If the policy is not active, it won't be used during the policy resolving process.

Overview

Password Policy Composition

This section of the page allows configuring the details of the required password composition. The description of each field is provided in the table below.

FieldDescription
Alpha Character (Min-Max) AmountMinimum and maximum number of alphabetic (letter) characters that must be included in a password.
Ideographic Characters (Chars) Are Not Allowed in the PasswordDetermines whether it is possible to use CJKV (Chinese, Japanese, Korean, and Vietnamese) ideograph characters defined by the Unicode Standard.
deprecated Initial Password TypeRandom vs static password generation must be defined in OPENIAM managed system policy map -> password groovy script. Example of random groovy password you can find in Appendix below.
Limit the Repetition of the Same CharacterFor example, if this value is set to 3, then the password kkfd44kddsk is not acceptable since it contains four 'k' letters, but kkfd44Kddsk will be accepted since one 'K' is uppercase.
Lowercase Characters (Min-Max) AmountMinimum and maximum number of lowercase (small) characters that must be included in a password.
Minimum Number of Words in the PhraseSpecifies the least number of words a passphrase or password phrase must contain.
Non-alpha Numeric Symbols (Min-Max) AmountThe minimum and maximum number of non-alphanumeric symbols (punctuation marks, special symbols, and other characters) that must be included in a password.
Numeric Characters (Min-Max) AmountThe minimum and maximum number of numeric (digit) characters that must be included in a password.
Reject Password Equals PasswordIf this is checked, the policy forbids the password to be the word "password".
Password History VersionsFeature implemented in systems to track and manage the historical passwords associated with a user account. It's a numerical value.
Password LengthDetermines the length of the password.
Reject Password Which Equals to LoginIdIf this is checked, the policy forbids the password to be the same as "LoginId".
Reject Password Which Equals to First or Last NameIf this is checked, the policy forbids the password to be the same as the first or last name of a user.
Characters Not Allowed in a PasswordSpecifies certain characters that users are prohibited from including in their passwords.
Words Not Allowed in a PasswordIf the password is in the blacklist (password dictionary), it will be rejected. To add a password dictionary, check the box and go to the Import/Export section at the very end of the page. Add the file with the dictionary to the Upload Password Dictionary field by clicking Browse.
Repetition of the Same Word in the PhraseIf checked, prevents users from using identical or repeated words within the same passphrase.
Uppercase Characters (Min-Max) AmountMinimum and maximum number of uppercase (capital) characters that must be included in a password.

Password Composition

Forgot Password Parameter

This section of the page allows configuring the details of the forgot password parameters and steps to restore it. The description of the fields is given in the table below.

FieldDescription
Number of Answers for User Defined Questions That Are Required to Be CorrectOpenIAM provides 18 out-of-the-box security questions but also allows the creation of custom questions. To use this function via the web console, go to Administration > Challenge Response Questions > Create New Question. If you have custom questions, this policy defines the number of correct answers. This can also be done via the SelfService portal; the steps are described in the document by this link.
Max Number of Fail Attempts to Answer Helpdesk QuestionsSee Helpdesk protection for more information.
User Failed Question Answers CountEach time the user answers a question incorrectly, their failure count will increase. Upon surpassing the set number, the account will be locked.
Number of Days the Forgot Password Token Is ValidIf not set, the default value is 3. Note: The values can only be set for days, with a minimum value of 1.
Failed OTP CountThe number of unsuccessful attempts to enter or verify a One-Time Password (OTP). If not set, the default value is 3.
OTP Lifetime (Minutes)The duration of time during which a One-Time Password (OTP) is valid for authentication. The default value is 30 minutes.
Number of Answers That Are Required to Be CorrectThe minimum number of correct answers needed for out-of-the-box security questions.
Number of Questions to DisplayThe total number of questions to be asked.
Question List SourceThe source of Security questions is taken from.
Max Number of Helpdesk Questions to Be Asked to the End UserSee Helpdesk protection for more information.
Should User Choose Reset Password Action?If checked, the decision to reset the password is taken by the user.

To disable security questions so that they won't be displayed during the first login, disable the following policies:

  • Max number of fail attempts to answer Helpdesk questions.
  • Number of answers that are required to be correct.

Forgot Password

Password Change Rule

This section of the page allows configuring the details of changing the password. The description of the fields is given in a table below.

Change Rule

FieldDescription
Change Password on the 1st Login?If checked, then the user is required to change the initial password upon the first login.
Maximum retries for validate passwordNumber of attempts to validate password.
Password expiration grace periodThe number of days after the password has expired during which the user is permitted to continue to log in.
Password expiration daysNumber of days the password stays valid and active. Note: If your goal is to establish a password policy that ensures users' passwords never expire, this can be achieved by populating the field with larger number like 9999. Currently, there is no way to allow a password not to expire without setting the password expiration in above mentioned way.
Change Password after resetThis requires the user to change his/her password after the administrator resets the password for the user.
Determines How Many Times You Are Allowed to Change Your PasswordA numerical value counting the time the user is allowed to change the password.
Days to password expiration warningA numerical value meaning the number of days prior expiration, when the user is sent a warning.
Reject reset by userIf checked, the password reset by the user will be rejected.

There is also a possibility to limit password validation attempts. Here, after the limit is reached, an error will be thrown:

Maximum limit for password validation for an identity reached.

Password validation limit

User will again be able to validate this password after 10 minutes.

Note: On the 1st login, the user might be directly taken to challenge questions after entering the password on login, instead of being asked to change their password. This event might happen even if Change Password on the 1st Login? field is checked. To tackle this issue, make sure to set the PENDING_INITIAL_LOGIN status in the sync script for new users.

Multiple password policies

OpenIAM provides the capability to link multiple password policies to various objects such as roles, groups, organizations, managed systems and authentication policies. When a user sets/resets a password, a password policy resolver is called. The password policy with the highest priority is then applied.

Example:

  • There are several password policies in OpenIAM: The Default Password Policy with a priority of 10; CustomPolicy1 with a priority of 14 (more restricted than the default password policy); _AD Password Policy_with a priority of 15.
  • The following objects are in OpenIAM: The role Manager is linked to CustomPolicy1; the group AD Users is linked to AD Password Policy; the organization Sales Department is linked to Default Password Policy.
  • The user John.Snow has a Manager role and is a member of the Sales Department organization.
  • The user Sansa.Stark belongs to the AD Users group and is a member of the Sales Department organization.
  • The user Arya.Stark has a Manager role and belongs to the AD Users group.

Appendix 1

Groovy script to generate random password

package org.openiam
import org.openiam.api.connector.groovy.AbstractIPolicyMapGroovy
import org.openiam.api.connector.model.ConnectorAttribute
import org.openiam.api.connector.model.StringOperationalConnectorValue
import org.openiam.base.AttributeOperationEnum
import org.openiam.base.response.list.PolicyListResponse
import org.openiam.common.beans.mq.PolicyRabbitMQService
import org.openiam.idm.provisioning.diff.model.user.ProvisionUserObjectDiff
import org.openiam.idm.searchbeans.PolicySearchBean
import org.openiam.idm.srvc.pswd.service.PasswordGenerator
import org.springframework.beans.factory.annotation.Autowired
/**
* Script generates random password using password policy
*/
class UserPassword extends AbstractIPolicyMapGroovy<ProvisionUserObjectDiff> {
private static final String DEFAULT_POLICY_ID = "4000"
@Autowired
private PolicyRabbitMQService policyRabbitMQService
@Override
boolean isPerform(ProvisionUserObjectDiff diffObject) {
return AttributeOperationEnum.ADD.equals(diffObject.getStatus())
}
@Override
void perform(ConnectorAttribute attribute, ProvisionUserObjectDiff diffObject) {
PolicySearchBean psb = new PolicySearchBean()
psb.addKey(DEFAULT_POLICY_ID)
PolicyListResponse response = policyRabbitMQService.findBeans(psb, 0, 1)
String password = PasswordGenerator.generatePassword(response.getList().get(0))
attribute.addValue(new StringOperationalConnectorValue(password, diffObject.getStatus()))
}
}