Password Policy
The Password Policy interface allows administrators to define the global RapidIdentity password policy.
This policy was previously located in the RapidIdentity Portal Configuration | Profiles | Extended | Password Policy Manager interface.
 |
The Password Policy interface contains three tabs, General, Password Syntax, and Restricted Passwords to define the Password Policy parameters.
Administrators can prioritize Password Policies the up and down arrow icons, duplicate an existing policy, add or remove policies with the plus and minus icons respectively, and refresh the policies with the curved arrow.
The General interface allows administrators to define the following Password Policy configurations.
Name
Description
Whether the policy is active
Whether a given policy is the default password policy
Access Control for non-default password policies
Password Reset options
The Password Policy Name, Description, and Enable fields are required.
compose the default message end users see and to determine various action buttons available to users when updating a password.
 |
Field Names | Description |
|---|---|
Name | The name of the password policy. The best password policy names are friendly and provide administrators a general idea of the password policy parameters or to which user groups the password policies apply (in the case of a non-default policy). |
Description | The Description should be described in simple terms that an end-user will be able to reference and understand. This description is displayed to the user on the change password screen. |
Enabled | Enables or Disables this policy. |
Default Policy | If selected, this becomes the default policy. |
Access Control | This field is available to non-default password polices, or in the instance of only one password policy that is default whenever the plus icon is clicked. Administrators can choose RBAC or ABAC. If RBAC is chosen, administrators can enter previously defined roles. If ABAC is selected, administrators can enter an LDAP filter in the Attribute ACL field or use the LDAP Criteria Builder to define an LDAP filter. |
Allow Password Reset to Attribute Value | Allows the help desk to reset the user's password to a value based on an LDAP attribute. This is a useful way to have users know what their default password is and have it provisioned to an attribute. |
Allow Random Password Generation | Allow RapidIdentity Portal to generate a random password for a user if requested. |
Default for "User must change password at next login" | Determines the selected state for the change password dialog's “User must change password at next login” checkbox. |
Password Syntax
The Password Syntax tab allows administrators to define specific password requirements based general parameters and the number of required characters for five different character set groups.
Uppercase letters
Lowercase letters
Numbers
Special characters
Unicode characters
 |
The General parameters allow administrators to Enforce Password Length Restrictions to set Minimum (1) and or Maximum (255) character password lengths, configure a regular expression to define allowed characters, to ensure the policy matches Microsoft Active Directory Complexity Requirement.
Restricted Passwords
The Restricted Passwords interface allows administrators to prevent certain words and values within a user's password. Administrators can blacklist passwords in any of the three following ways.
Text
Regular expression
Matching attribute values
Administrators have the option to require Case Sensitive Value Matching and Full Matches Only.
Field Name | Description |
|---|---|
Case Sensitive Match | By default, blacklisted passwords must match in case. Enable this field to ignore case. |
Full Matches | Password comparisons behave differently depending on this option. |
Blacklisted Passwords | Individual passwords can be blacklisted by entering the word into the field and pressing enter. A blacklisted password can be removed by clicking the "x" to the right of the blacklisted password. |
Blacklisting Passwords by Text
Use this field to enter specific password values that should not be allowed.
The plus button adds entries while the delete button removes entries.
Adding a Blacklisted Value entry of AUTO, produces the following results:
If Full Matches Only is enabled:
Answer | Accepted? |
|---|---|
AUTO | No |
AUTO-MATIC | Yes |
LOVE_AUTOMATION | Yes |
If Full Matches Only is disabled:
Answer | Accepted? |
|---|---|
AUTO | No |
AUTO-MATIC | No |
LOVE_AUTOMATION | No |
Blacklisting Passwords by Regular Expression
RapidIdentity Portal can support any regular expression pattern that Java can accommodate. The regular expression must match the entire password including the values that make it eligible for blacklisting.
For example, [^ ] allows administrators to negate (blacklist) any character following the carat symbol. For example, entering [^at] allows any password that does not contain lower case "a" and "t".
Exclude Passwords that match these attributes values
The functionality on this tab is exactly the same as Blacklisted Passwords by Text but takes attribute directory values as input. This allows for the prevention of passwords that contain values such as the user's name or ID.
Adding a Blacklisted Value entry of GIVEN_NAME, and my name is James, produces the following results:
If Full Matches Only is enabled:
Password | Accepted? |
|---|---|
JAMES | No |
JAMES123 | Yes |
A$ZJAMESZ$A | Yes |
If Full Matches Only is disabled:
Password | Accepted? |
|---|---|
JAMES | No |
JAMES123 | No |
A$ZJAMESZ$A | No |
Defining and Prioritizing Password Policies
Password policies can be created to serve different users or groups. In many implementation use cases, the default policy is configured to match the minimum directory service password complexity requirements. If two password policies exist, one policy must be selected as default.
The default policy does not support RBAC or ABAC, thus the default policy is for users and groups that do not match any custom policy. Users or groups are required to adhere to the highest prioritized custom policy for which their roles and / or directory service attributes match.
Any custom policy that leverages RBAC or ABAC should be prioritized higher than the default policy.