You configure your password policy to increase your network security by enforcing rules about how users create their passwords. Apply Self Service Password Reset password policy in one the following ways:
Apply only the Self Service Password Reset policy
Apply only the LDAP policy
Merge the Self Service Password Reset policy with the LDAP policy
When you merge the Self Service Password Reset policy with the LDAP policy, Self Service Password Reset reads both policies. If both policies conflict with each other, Self Service Password Reset chooses the most restrictive policy.
Self Service Password Reset checks the text that a user set as their password and does not allow if that is available in the predefined password dictionary word list. The word list is a ZIP file containing one or more plain text files with one word per line.
Self Service Password Reset allows storing the shared password history for all users, which provides more security. You can also configure profile specific password policy, which means setting password policies for different group of users who are part of different profiles.
To configure a password policy you must create a profile and configure two different sets of settings in Self Service Password Reset.
You can configure the password policies for specific groups of users by using the password policy profile. You can create different profiles for different user groups so that the system applies the specified password policy to each user group for each profile. For more information, see Configuring Profiles.
Based on the policy specified for users, Self Service Password Reset generates the text to display in the change password policy. To customize this text, use the Password Rule Text setting, which overwrites the Self Service Password Reset auto-generated text.
To configure a password policy for the default profile:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Polices > Password Policies > default.
Configure the following settings:
Specify the query that matches specific users for the specified profile. You can query by using Add Filter that includes the object class, and by using Add Group that includes the LDAP group.
Specify the minimum length of the password. Specify 0 to disable this feature.
Specify the maximum length of the password. Specify 0 to disable this feature.
Specify the maximum number of times a character can be repeated in the password. This is case-insensitive. Specify 0 to disable this feature.
Specify the maximum number of times a character can be repeated sequentially in the password. This is case-insensitive. Specify 0 to disable this feature
Select this option to allow numeric characters in the password.
Select this option to allow the first character of the password to be numeric. This setting is applicable when only numeric characters are allowed in the password.
Select this option to allow the last character of the password to be numeric. This setting is applicable only when numeric characters are allowed in the password.
Specify the maximum number of numeric characters you want to allow in the password. This setting is applicable when you allow numeric characters in the password. Specify 0 to disable this feature.
Specify the minimum number of numeric characters you want to allow in the password. This setting is applicable when you allow numeric characters in the password. Specify 0 to disable this feature.
Select this option to allow non-alphanumeric characters in the password.
Select this option to allow the non-alphanumeric character to be the first character of the password. This setting is applicable when you allow the special characters in the password.
Select this option to allow the non-alphanumeric character to be the last character of the password. This setting is applicable when you allow the special characters in the password.
Specify the maximum number of special characters allowed in the password. This setting is applicable when you allow the special characters in the password. Specify 0 to disable this feature.
Specify the minimum number of special characters required in the password. This setting is applicable when you allow the special characters in the password. Specify 0 to disable this feature.
Specify the maximum number of alphabetic characters allowed in the password. Specify 0 to disable this feature.
Specify the minimum number of alphabetic characters required in the password. Specify 0 to disable this feature.
Specify the maximum number of non-alphabetic characters allowed in the password. Specify 0 to disable this feature.
Specify the minimum number of non-alphabetic characters required in the password. Specify 0 to disable this feature.
Specify the maximum number of uppercase characters allowed in the password. Specify 0 to disable this feature.
Specify the minimum number of uppercase characters required in the password. Specify 0 to disable this feature.
Specify the maximum number of lowercase characters allowed in the password. Specify 0 to disable this feature.
Specify the minimum number of lowercase characters required in the password. Specify 0 to disable this feature.
Specify the minimum number of unique characters required in the password. Specify 0 to disable this feature.
Specify the maximum number characters that a user can reuse from the previous password in the new password. Specify 0 to disable this feature.
Specify the minimum amount of time that must pass between password changes. Value is in seconds. Specify 0 to disable this feature.
Select this check box to enable users to check the password against the configured word list.
Select the Microsoft Active Directory style password complexity rules from the list:
Select this setting to use the following password complexity rule:
Cannot contain the user's account name or parts of the user's full name that exceeds two consecutive characters
Contain at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Select this setting to use the following password complexity rule:
Cannot contain the user's account name or parts of the user's full name that exceeds two consecutive characters
Minimum 6 characters
Maximum 512 characters
Must contain following category of characters. You specify the exact number of categories by setting the Policies > Password Policies > [profile] > Active Directory 2008 Password Complexity Maximum Violations option.
European language uppercase alphabetic characters
European language lowercase alphabetic characters of Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Other alphabetic characters not included in the other categories
Select this setting if you do not require any of the Active Directory password complexity rule.
NOTE:Self Service Password Reset considers the password policy that is a combination of Self Service Password Reset and Active Directory complexity. Hence, the change password page displays the policies that are a combination of Self Service Password Reset and Active Directory complexity.
If you require the exact policy of Active Directory complexity, then ensure to make changes to minimum and maximum character specifications in Self Service Password Reset policy settings as specified in the Active Directory complexity.
Specify the maximum number of Active Directory 2008 Level Complexity category violations that is allowed for users.
This setting is applicable if the Active Directory Password Complexity setting is set to Active Directory2008 Level Complexity.
Add a Regular Expression pattern the password must match in order to be allowed. Multiple patterns can be listed. A pattern must match the entire password to be applied. The system ignores a partial match. You can use Macros.
Specify a Regular Expression pattern the password must not match in order to be allowed. Multiple patterns can be listed. A pattern must match the entire password to be applied. The system ignores a partial match. You can use Macros.
Specify the list of case-insensitive values that you do not want to allow in the password. For example, password, user name, and the name of the organization.
Specify the list of attributes not allowed to be used as passwords. For a given user, the system reads the values and does not permit it to be used as part of the password value. This check is case-insensitive.
NOTE:Specifying a number after the attribute name restricts how many consecutive characters in the value are disallowed. For example, Language:4 means the password cannot contain: Engl, ngli, glis, or lish, for English speaking users.
Specify the minimum password strength level required. 45 to 69 are good and above 69 are strong. A value of 0 disables this check.
Specify the maximum amount of characters in a sequence such as 0123456789 or abcdefghijk. You can define a more specific character sequence by a Unicode character order of each character after the entire value is converted to lowercase. To disable this check set the value to 0.
Specify the message to be displayed to the user during password changes. You can include HTML tags in messages.
NOTE:A change password message read as part of an LDAP password policy might overwrite this setting.
When blank, the system displays an automatically generated rule list to the user. The automated rule list might not be inclusive of all settings in the password policy. Some of the more esoteric or difficult to communicate rules do not appear in the automatically generated list. This is done in an attempt to not overwhelm the user with having to read and parse the rules before attempting to change the password. Should the user type a password that conflicts with such a rule - the per-keystroke rule checker provides direct feedback to the user on how to correct the problem.
To override the automatically generated rule list, set a value in this option. The option permits HTML tags.
Prohibits the current password from being used as the new password.
NOTE:This can only be enforced if the login method permits the user's password to be known.
Specify the minimum number of defined character groups users must have in their passwords.
Define a character group that users must have in their password. A character group is a regular expression character matches. For example, the following two character groups of:
[a-zA-Z]+ [0-9]+
Requires that the users have a letter or a number in their passwords. If you use the setting Polices > Password Policies > [profile] > Minimum Character Groups Required with this setting, you can create a complex list of requirements that the user only needs to partially match. For example, you can use this type of policy to replicate the Active Directory “3 out of 5” rules, but with more flexibility and customization.
In the toolbar click, Save changes.
After you create the password profile you must configure the settings for the password policy.
To configure a password policy:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Policies > Password Settings.
Configure the following settings:
Select any one of the following:
Self Service Password Reset reads the LDAP password policies. If you select this option, Self Service Password Reset ignores some of the Self Service Password Reset password policy settings.
Self Service Password Reset reads the Self Service Password Reset policies. If you select this option, Self Service Password Reset ignores any policy settings of the LDAP directory.
Self Service Password Reset reads both policies. If any conflict between these policies, Self Service Password Reset chooses the most restrictive value of the policy.
Select this option if you want to enable a global shared password history for all users on Main Menu. If enabled, all users share a common password history. This helps prevent usage of common organizational words in passwords. The system stores passwords as a salted and encrypted hash in the local database.
Specify the maximum age of the shared history storage in seconds. The default value is four weeks (2419200 seconds).
Select the required option from the following list that controls the use of case-sensitive password:
Read from Directory
True (Case Sensitive)
False (Case Sensitive)
in the toolbar, click Save changes.
To increase the security of the passwords you must define a word list. A word list is a predefined password dictionary that Self Service Password Reset checks against the text that users set as their passwords. Self Service Password Reset does not allow a password if that text is available in the word list. The word list is a ZIP file containing one or more plain text files with one word per line.
To configure the word list:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Word Lists.
Configure the following settings:
Specify a word list file URL for dictionary checking to prevent users from using commonly used words as passwords. Using word lists is an important part of password security. Word lists are used by intruders to guess common passwords. The default word list included contains commonly used English passwords.
The first time a startup occurs with a new word list setting, it will take some time to compile the word list into a database. See the status screen and logs for progress information. The word list file format is one or more text files containing a single word per line, enclosed in a ZIP file. The String !#comment: at the beginning of a line indicates a comment.
The value must be a valid URL, using the protocol file (local file system), http, or https.
Select this option if you want to use the word list as case-sensitive for all matches. Changing this value causes a word list re-compilation.
Specify the number of characters in a word that Self Service Password Reset checks against the configured word list.
For example, if the word to be checked is word list and this setting is set to 6, then the system checks these combinations wordli, ordlis, and rdlist against the configured dictionary. If any of these values match, then the entire value is a match to the word list. If you specify 0 (the number) or the password to check is smaller than the value specified here, then the system checks the entire password against the word list by not any smaller parts of the password.
Specify the URL for the seed list. The value must be a valid URL, using the protocol file (local file system), http, or https.
When passwords are randomly generated, the system can generate friendly random password suggestions to users. It does this by using a seed word or words, and then modifying that word randomly until it is sufficiently complex and meets the configured rules computed for the user.
In the toolbar, click Save changes.