Password Policy Manager
The Password Policy Manager allows administrators to define password policies to ensure that passwords comply with the following criteria:
Syntax
Restricted Password Values
Avoidance of Breached Passwords
From the Configuration menu, choose Password under Policies, and click Password in the left menu. This will display the Default Password Policy.
The four available tabs on this screen are General, Password Syntax, Restricted Passwords, and Password Screening. Each tab has a different set of options for System Administrators to use to define policies surrounding the types of passwords that users must create.
General Tab
 |
Section | Field | Description |
|---|---|---|
General | Name | Give the policy a name that makes the policy easy to identify. |
Description | This will be the information displayed to the user when they are prompted to create a password. Administrators can use basic HTML formatting to ensure the message is easy to read and understand. | |
Enabled | Select this checkbox to enable the policy for all applicable users. | |
Default Policy | Select this checkbox to ensure this policy is the default. | |
Affected Users | Access Control | Define who has access to the policy. More information on RBAC and ABAC filtering is available in Configuring Module Visibility. This field defaults to None. NoteThis section only appears when the selected policy is not the default policy. |
Password Reset | Allow Password Reset to Attribute Value | Select this checkbox to enable users to use various attributes as passwords. |
Allow Random Password Generation | Select this checkbox to allow passwords governed by this policy to be reset to random values when performing delegated or self-service password reset. | |
Default for "User Must Change Password At Next Login" | Select this checkbox to enforce whether the "User Must Change Password At Next Login" option is automatically selected when delegated administrators or self-service users change the password for users associated with this policy. |
Password Syntax Tab
Section | Field | Description |
|---|---|---|
General | Password Length | Define the minimum and maximum number of characters required for the current Password Policy. NoteSetting the minimum length to If both values are greater than zero, the Minimum Length character count must be less than or equal to the Maximum Length character count. |
Regular Expression for Allowed Characters | Insert a string to enforce further password complexity rules as needed. This can force include or force exclude certain characters at the creation of password for users that qualify for this policy. | |
Character Sets to Meet | Number of Character Sets as defined in the next section that the password must meet to match the requirements of this policy. | |
Meet AD Complexity Requirements | Pressing this button changes the Password Length Minimum to 7 and Character Sets to Meet to 3. These are the default Password Complexity requirements as enforced by Microsoft Active Directory. | |
Character Sets | Uppercase Letters | Define the minimum and maximum number of Uppercase Letters (A-Z) that must be included. |
Lowercase Letters | Define the minimum and maximum number of Lowercase Letters (a-z) that must be included. | |
Numbers | Define the minimum and maximum number of Numbers (0-9) that must be included. | |
Special Characters | Define the minimum and maximum number of Special Characters (!"#$%&'()*+,-./:;=?@[\]^_`{|}~) that must be included. | |
Unicode Characters | Define the minimum and maximum number of Unicode Characters that must be included. |
Restricted Passwords Tab
Section | Field | Description |
|---|---|---|
Match by Text | Case Sensitive Match | Check this box to use a case-sensitive matching against any Restricted Passwords defined below. |
Full Match | Check this box to disallow any phrases that fully match any of the Restricted Passwords defined below. | |
Restricted Passwords | Click +Add Another to include any words and phrases that are to be restricted from use in a user's password. | |
Match by Regular Expression | Restricted Passwords | Click +Add Another to include any regular expressions that are to be restricted from use in a user's password. |
Match by Attribute Value | Case Sensitive Match | Check this box to use case-sensitive matching against any Restricted Attribute Values defined below. |
Full Match | Check this box to disallow passwords that fully match any of the Attributes defined below. Leave unchecked to disallow passwords that contain any of the values of any of the attributes listed below. | |
Meet AD Complexity Attribute Exclusions | Check this box also to disallow passwords that contain values of attributes included in Microsoft Active Directory default complexity requirements. | |
Restricted Passwords | Click +Add Another to include any Attributes that are to be restricted from use in a user's password. |
Password Screening Tab
Section | Field | Description |
|---|---|---|
Password Screening | Enabled | Click this checkbox to enable password screening. When enabled, the password the user chooses will be screened against a database of compromised passwords and the user will be required to pick another. |
Screening Service | Currently, there is only one service available within RapidIdentity, and it defaults to the Have I Been Pwned screening service. This service checks to see whether the password the user has chosen has recently been involved in a data breach, and automatically blacklists any of those reported. | |
Error Message | When the Password Screening feature is enabled, the Error Message displayed to the user becomes editable from the default text. You may change it to include instructions on changing the user's password or leave it as is. When prompted, the error message will appear to the user as shown below.
|
