Password Policy

The password policy controls the following:

  • Password composition
  • Frequency of change
  • Self-service forgot password configuration

The sections below describe how to go about configuring the password policy, which can be found in the Webconsole under Policy -> Password Policy. If you are new to OpenIAM, start by configuring the existing Default Password Policy instead of creating a new one.

Password policy overview

  • Name
  • Description
  • Priority -- A numeric value representing the priority of this policy. A higher number indicates that this policy has a higher priority over policies with a lower number.
  • Active/not active -- If the policy is not active it won't be used during the policy resolving process.

Password policy composition

  • Alpha character (Min-Max) amount
  • Ideographic characters (chars) are not allowed in the password --Determines whether it is possible to use CJKV (Chinese, Japanese, Korean and Vietnamese) ideograph chars, defined by the Unicode Standard.
  • Initial Password type
  • Limit the repetition of same character --For example, if this value is set to 3, then the password kkfd44kddsk is not acceptable since it contains four 'k' letters, but kkfd44Kddsk will be accepted since one 'K' is uppercase.
  • Lowercase characters (Min-Max) amount
  • Minimum number of words in the phrase
  • Non-alpha numeric symbols (Min-Max) amount
  • Numeric characters (Min-Max) amount
  • Reject Password equals password --If this is checked, the policy forbids the password to be the word "password".
  • Password history versions
  • Password length
  • Reject password which equals to LoginId
  • Reject password which equals to First or Last name
  • Characters not allowed in a password
  • Words not allowed in a password --If the password is in the blacklist (password dictionary) it will be rejected.
  • Repetition of the same word in the phrase
  • Uppercase characters (Min-Max) amount

Forgot password parameter

  • Number of answers for user defined questions that are required to be correct --OpenIAM provides 18 out-of-the-box security questions, but also allows the creation of custom questions. To use this function, go to Administration -> Challenge Response Questions -> Create New Question. If you have custom questions, this policy defines the number of correct answers.
  • Max number of fail attempts to answer Helpdesk questions --See Helpdesk protection for more information.
  • User failed question answers count --Each time the user answers a question incorrectly, their failure count will increase. Upon surpassing the set number, the account will be locked.
  • Number of days the forgot password token is valid --If not set, the default value is 3.
  • Failed OTP count --If not set, the default value is 3.
  • OTP Lifetime (minutes) --The default value is 30 minutes.
  • Number of answers that are required to be correct --The minimum number of correct answers needed for out-of-the-box security questions.
  • Number of questions to display --The total number of questions to be asked.
  • Question list source
  • Max number of Helpdesk questions to be asked to the end user --See Helpdesk protection for more information.
  • Should user choose reset password action?

To disable security questions so that they won't be displayed during the first log in, disable the following policies:

  • Max number of fail attempts to answer Helpdesk questions
  • Number of answers that are required to be correct

Password change rule

  • Change Password on the 1st login?
  • Change Password after reset --This requires the user to change his/her password after the administrator resets the password for the user.
  • Determines how many times you are allowed to change your password
  • Password expiration grace period --The number of days after the password has expired during which the user is permitted to continue to log in. During the grace period, a message is displayed upon log in that reminds the user to change his/her password.
  • Days to password expiration warning --The number of days prior to the expiration of the password to start displaying a warning .
  • Password expiration days
  • Reject reset by user --If set to True, then the Change Password button displayed in self-service upon selecting the username from the top right menu bar will become disabled. Access to the button is calculated in the cache, with a default refresh time of two minutes.

There is also a possibility to limit password validation attempts. Here, after the limit is reached, an error will be thrown:

Maximum limit for password validation for an identity reached.

Password validation limit

User will again be able to validate this password after 10 minutes.

Multiple password policies

OpenIAM provides the capability to link multiple password policies to various objects such as roles, groups, organizations, managed systems and authentication policies. When a user sets/resets a password, a password policy resolver is called. The password policy with the highest priority is then applied.

Example:

  • There are several password policies in OpenIAM: The Default Password Policy with a priority of 10; CustomPolicy1 with a priority of 14 (more restricted than the default password policy); AD Password Policy with a priority of 15.
  • The following objects are in OpenIAM: The role Manager is linked to CustomPolicy1; the group AD Users is linked to AD Password Policy; the organization Sales Department is linked to Default Password Policy.
  • The user John.Snow has a Manager role and is a member of the Sales Department organization.
  • The user Sansa.Stark belongs to the AD Users group and is a member of the Sales Department organization.
  • The user Arya.Stark has a Manager role and belongs to the AD Users group.