Password Policy Enforcement
Password Strength Rules
Following is the complete list of password strength rules that can be enforced by Password Manager:
|
Password strength rules |
||
| Rule name | Type | Description |
| (1) Minimum length | Req/Warn | The smallest number of characters that a legal password can contain. |
| Maximum length | Req/Warn | The largest number of characters that a legal password can contain. |
| Require mixed case? | Req/Warn | Enable if passwords should contain both uppercase and lowercase characters. |
| Maximum no. of lower-case letters | Req/Warn | The largest number of lower-case letters that a legal password can contain. |
| Maximum no. of upper-case letters | Req/Warn | The largest number of upper-case letters that a legal password can contain. |
| Minimum no. of punctuation marks | Req/Warn | The smallest number of punctuation marks that a legal password can contain. |
| Maximum no. of punctuation marks | Req/Warn | The largest number of punctuation marks that a legal password can contain. |
| Minimum no. of inside punctuation marks | Req/Warn | Same as minimum punctuation marks, but not counting the first or last character of the password. |
| Minimum no. of letters | Req/Warn | The smallest number of letters that a password can contain. |
| Start with a letter? | Req/Warn | Enable to require all passwords to start with a letter. Useful for compatibility with some systems. |
| Minimum no. of digits | Req/Warn | The smallest number of digits that a legal password can contain. |
| Minimum no. of digits inside | Req/Warn | Same as minimum digits, but not counting the first or last character of the password. |
| No words from the (provided) dictionary | Req/Warn | The password, stripped of non-letter characters, may not match a word (consisting of four or more letters) from the dictionary. For example, the password word123 are not valid. The dictionary search is case-insensitive. |
| No exact word match from the dictionary. | Req/Warn | A password may not exactly match a dictionary word consisting of four or more letters. For example, the passwords w1o2r3d or word123 is valid. The password word is not valid. The dictionary search is case-insensitive. |
| No words from dictionary contained within password | Req/Warn | A password, stripped of non-letter characters, may not contain a dictionary word. For example, the password xyzword123 would not be valid. The dictionary search is case-insensitive. |
| No rearranged words from this dictionary | Req/Warn | A password, stripped of non-letter characters, may not be a dictionary word rearranged. For example, the password w1o2r3d4xyz would be valid. The password rdow123 would not be valid. The dictionary search is case-insensitive. |
| Not the user name? | Req/Warn | The user's name may not be used as the new password. |
| Not the user name backwards? | Req/Warn | Same as above, but with the letters in the name reversed. |
| Does not contain the user name? | Req/Warn | The user's name may not form part of the new password. |
| Does not contain the user name backwards? | Req/Warn | Same as above but with the letters in the name reversed. |
| Not a rearranged user name? | Req/Warn | Same as above but with the letters in the name rearranged in any way. |
| Does not match the first N characters of the user name? | Req/Warn | The new password may not contain the specified number of characters that begin the user name |
| Offer the user N random passwords | Req/Warn | Display N randomly-selected passwords, from which the user may choose a new password value. If the rule is required, the user must use one of the values provided as their new password. |
| Maximum number of character pairs | Req/Warn | The maximum number of pairs of the same character appearing consecutively in new, legal password values. |
| Require password to be approved by this plug-in | On/Off | An external program is called, to verify that a password is acceptable. |
| Warn if the password was not approved by this plug-in | On/Off | An external program is called, to verify that a password is desirable or not. |
| Mainframe compatible (8 chars; alpha/num or @$#) | Req/Warn | Intended for mainframe compatibility. |
| Password rules apply to the first N characters of the password | On/Off | Apply all other rules to a truncated version of the password typed by the user. |
| Record old passwords - never reuse them (password history) | Req/Warn | New passwords may not be the same as passwords that appear in a history file. |
| Store new password hash in history on successful change/reset | Req/Warn | Enforce password history by storing hashes of old passwords in the Password Manager database. Users will not be able to use old passwords. |
| Allow old passwords after N days | Req/Warn | Change the history rule, so that new passwords can be the same as old ones (in the history file), if they are over N days old. |
| Prompt users to change passwords every N days | Req/Warn | This only applies to password expiry based on the last time a user changed his password with Password Manager. Prompt the user to change passwords every N days. |
| Regular expressions | Req/Warn | Passwords may (not) match string patterns. |
| Password policy plug-ins | Req/Warn | Passwords quality is validated by customer-supplied plug-in program(s). |
Unlimited Password History
In Password Manager, password history is "infinite" by default. Unless specifically allowed, users are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time interval, rather than the number of intervening password changes. Password history is stored in a one-way, non-reversible hash (SHA-1 plus 64-bit random salt).
Password Aging / Expiration
To enforce password expiration and to get users to trigger web-based password synchronization, Password Manager is configured to detect upcoming password expiration on individual systems (e.g., Windows or NetWare servers, LDAP directories) and to prompt users to change all of their passwords at once with the Password Manager web GUI, rather than one system at a time with native password change screens.
Typically password expiration is configured so that users change their passwords with Password Manager on a shorter schedule than any other application or system password. This way, users are never prompted to change passwords by anything other than Password Manager itself or systems that automatically trigger Password Manager transparent password synchronization.
Early notification of upcoming password expiration is a viable alternative to transparent password synchronization, especially in cases where it is impossible to trigger synchronization from the primary login system that users most often use.
Users can be notified of upcoming password expiration by e-mail. Alternately, a small client program can be added to global network login scripts, which checks whether the user currently logging in is on the list of "soon to expire" users and if so opens the user's default web browser to a URL that asks the user to change his passwords with a web GUI, using Password Manager.
Users can be forced to change their passwords when they sign into the network, by opening a kiosk-mode web browser to the password change screen and requiring the user to change passwords before they can close this browser.
The timing of password expiration can be calculated based on the most recent password change a user made with Password Manager, in addition to upcoming expiration on a managed system. Top of Page