Restricted Passwords Tab
The Restricted Passwords tab allows administrators to prevent certain words and values within a user's password. Administrators can blacklist passwords by:
Text
Regular expression
Matching attribute values
 |
Administrators have the option to require Case Sensitive Value Matching and Full Matches Only. More information on password configuration is available in Password Blacklist Standards.
Field Name | Description |
|---|---|
Case Sensitive Value Matching | By default, blacklisted passwords must match in case. Enable this field to ignore case. |
Full Matches Only | Password comparisons behave differently depending on this option. |
Case Sensitive Value Matching | By default, blacklisted passwords must match in case. Enable this field to ignore case. |
Full Matches Only | Password comparisons behave differently depending on this option. |
Blacklisting Passwords by Text
Use this field to enter specific password values that should not be allowed.
The plus button adds entries while the delete button removes entries.
Adding a Blacklisted Value entry of AUTO, produces the following results:
If Full Matches Only is enabled
Answer | Accepted? |
|---|---|
AUTO | No |
AUTO-MATIC | Yes |
LOVE_AUTOMATION | Yes |
If Full Matches Only is disabled
Answer | Accepted? |
|---|---|
AUTO | No |
AUTO-MATIC | No |
LOVE_AUTOMATION | No |
Blacklisting Passwords by Regular Expression
RapidIdentity Portal can support any regular expression pattern that Java can accommodate. The regular expression must match the entire password, including the values that make it eligible for blacklisting.
For example, [^ ] allow administrators to negate (blacklist) any character following the carat symbol. For example, entering .*[^at].* allows any password that does not contain lower case "a" and "t". The .* in this expression means any character zero or more times.
Another example is excluding (blacklisting) any password containing a particular set of characters such as tabs, commas, and spaces with .*[\t, ].*.
Note
Regular expressions do not need to be enclosed in forward slashes as with Connect actions.
Exclude Passwords that match these attributes values
The functionality on this tab is exactly the same as Blacklisted Passwords by Text but takes attribute directory values as input. This allows for the prevention of passwords that contain values such as the user's name or ID.
Adding a Blacklisted Value entry of GIVEN_NAME, and my name is James, produces the following results:
If Full Matches Only is enabled
Password | Accepted? |
|---|---|
JAMES | No |
JAMES123 | Yes |
A$ZJAMESZ$A | Yes |
If Full Matches Only is disabled
Password | Accepted? |
|---|---|
JAMES | No |
JAMES123 | No |
A$ZJAMESZ$A | No |