1.5 Creating Strong Password Policies

Password policy objects are publicly readable to allow applications to check whether passwords are compliant. This means that an unauthenticated user could query an Identity Vault and find out what password policies are in place. If the password policies require users to create strong passwords, this should not pose a risk, as noted in “Create Strong Password Policies” in the NetIQ Password Management Administration Guide.

Identity Manager Password Synchronization lets you simplify user passwords and reduce help desk costs. Bidirectional password synchronization lets you share passwords among eDirectory and connected systems in multiple ways, as described in the scenarios in the NetIQ Identity Manager Password Management Guide.

Using Universal Password and password policies allows you to enforce strong password syntax requirements for users. Use the Advanced Password Rules in password policies to define your organization’s best practices for passwords. The Advanced Password Rules features let you manage password syntax by using either NetIQ syntax or the Microsoft Complexity Policy. For more information, see “Managing Passwords by Using Password Policies” in the NetIQ Password Management Administration Guide.

For example, using NetIQ password syntax options, you can require user passwords to comply with rules such as the following:

  • Requiring unique passwords.

    You can prevent users from reusing passwords, and control the number of passwords the system should store in the history list for comparison

  • Requiring a minimum number of characters in the password.

    Requiring longer passwords is one of the best ways to make passwords stronger.

  • Requiring a minimum number of numerals in the password.

    Requiring at least one numeric character in a password helps protect against “dictionary attacks,” in which intruders try to log in using words in the dictionary.

  • Excluding passwords of your choice.

    You can exclude words that you consider to be security risks, such as the company name or location, or the words “test” or “admin.” Although the exclusion list is not meant to import an entire dictionary, the list of words you exclude can be quite long. Just keep in mind that a long list of exclusions makes login slower for your users. A better protection from dictionary attacks is to require numerals or special characters.

Keep in mind that you can create multiple password policies if you have different password requirements in different parts of the tree. You can assign a password policy to the whole tree, a partition root container, container, or even an individual user. (To simplify administration, we recommend that you assign password policies as high up in the tree as possible.)

In addition, you can use intruder lockout. As always, this eDirectory feature lets you specify how many failed login attempts are allowed before an account is locked. This is a setting on the parent container instead of in the password policy. See “Managing User Accounts” in the NetIQ eDirectory Administration Guide.