7.2 Configuring Password Policies

You configure your password policy to increase your network security by enforcing rules about how users create their passwords. Apply Self Service Password Reset password policy in one the following ways:

  • Apply only the Self Service Password Reset policy

  • Apply only the LDAP policy

  • Merge the Self Service Password Reset policy with the LDAP policy

When you merge the Self Service Password Reset policy with the LDAP policy, Self Service Password Reset reads both policies. If both policies conflict with each other, Self Service Password Reset chooses the most restrictive policy.

Self Service Password Reset checks the text that a user set as their password and does not allow if that is available in the predefined password dictionary word list. The word list is a ZIP file containing one or more plain text files with one word per line.

Self Service Password Reset allows storing the shared password history for all users, which provides more security. You can also configure profile specific password policy, which means setting password policies for a different group of users who are part of different profiles.

To configure a password policy you must create a profile and configure two different sets of settings in Self Service Password Reset.

7.2.1 Configuring a Profile for a Password Policy

You can configure the password policies for specific groups of users by using the password policy profile. You can create different profiles for different user groups so that the system applies the specified password policy to each user group for each profile. For more information, see Configuring Profiles.

Based on the policy specified for users, Self Service Password Reset generates the text to display in the change password policy. To customize this text, use the Password Rule Text setting, which overwrites the Self Service Password Reset auto-generated text.

Self Service Password Reset allows you to define the requirements for the password. You can specify if the password is required to have numbers, letters, and special characters. You can also define the minimum and the maximum number of uppercase and lowercase letters. Along with how many unique characters are required.

You can also define if groups of characters are allowed by using regular expressions. For example, the following two character groups of:

[a-zA-Z]+
[0-9]+

This regular expression requires that the users have a lowercase or uppercase letter or a number in their passwords. For more information about regular expressions, see Regular expression.

To configure a password policy for the default profile:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Polices > Password Policies > default.

  5. Configure the following password policy settings:

    Password Policy Profile Match

    Specify a query to determine if this password policy applies to a given user. During login, if the system has not assigned a previous policy to the user, it considers the matches here, and if positive, it assigns the user to this policy.

    1. Click Add Filter.

    2. Select the filter for profiles in LDAP Profile.

    3. Specify the valid LDAP filter in LDAP Search Filter.

    4. Specify the LDAP base DN in LDAP Base DN (Optional).

    5. Click View Matches.

    You can add a new group of users to the Challenge Profile Match.

    1. Click Add Group.

    2. Select the filter for filtering the profiles in LDAP Profile.

    3. Specify the LDAP base DN in LDAP Group DN.

    4. Click View Matches.

    Minimum Length

    Specify the minimum length of the password. A value of zero disables this setting.

    Maximum Length

    Specify the maximum length of the password. A value of zero disables this check. Although, you can set this limit to large values, the LDAP directory is used may have fixed limitations on the supported password length.

    Maximum Repeat

    Specify the maximum amount of times the users can repeat any character throughout the password. A value of zero disables this setting.

    Maximum Sequential Repeat

    Specify the maximum times the users can sequentially repeat any character throughout the password. A value of zero disables this setting.

    Allow Numeric Characters

    Enable this option to allow numeric characters in the password.

    Allow Last Character Numeric

    Enable this option to allow the last character of the password to be numeric. This setting is applied only if the Allow Numeric Characters is enabled.

    Maximum Numeric

    Specify the maximum number of numeric characters which can be added in the password. A value of zero disables this check. This setting is applied only if the Allow Numeric Characters is enabled.

    Minimum Numeric

    Specify the minimum number of numeric characters which can be added in the password. A value of zero disables this check. This setting is applied only if the Allow Numeric Characters is enabled.

    Allow Special Characters

    Enable this option to allow special characters in the password.

    Allow First Character Special

    Enable this option to allow the first character of the password to be a special character. This setting is applied only if the Allow Special Characters is enabled.

    Allow Last Character Special

    Enable this option to allow the last character of the password to be a special character. This setting is applied only if the Allow Special Characters is enabled.

    Maximum Special

    Specify the maximum number of special characters which can be added in the password. A value of zero disables this setting. This setting is applied only if the Allow Special Characters is enabled.

    Minimum Special

    Specify the minimum number of special characters which can be added in the password. A value of zero disables this setting. This setting is applied only if the Allow Special Characters is enabled.

    Maximum Alphabetic

    Specify the maximum number of alphabetic characters which can be added in the password. A value of zero disables this setting.

    Minimum Alphabetic

    Specify the minimum number of alphabetic characters which can be added in the password. A value of zero disables this setting.

    Allow Non-Alphabetic Characters

    Enable this option to allow non-alphabetic characters in the password.

    Maximum Non-Alphabetic

    Specify the maximum number of non-alphabetic characters which can be added in the password. A value of zero disables this setting. This setting is applied only if the Allow Non-Alphabetic Characters is enabled.

    Minimum Non-Alphabetic

    Specify the minimum number of non-alphabetic characters which can be added in the password. A value of zero disables this setting. This setting is applied only if the Allow Non-Alphabetic Characters is enabled.

    Maximum Uppercase

    Specify the maximum number of uppercase characters which can be added in the password. A value of zero disables this setting.

    Minimum Uppercase

    Specify the minimum number of uppercase characters which can be added in the password. A value of zero disables this setting.

    Maximum Lowercase

    Specify the maximum number of lowercase characters which can be added in the password. A value of zero disables this setting.

    Minimum Lowercase

    Specify the minimum number of lowercase characters which can be added in the password. A value of zero disables this setting.

    Minimum Unique Characters

    Specify the minimum number of unique characters which can be added in the password. A value of zero disables this setting.

    Maximum Characters From Previous Password

    Specify the maximum number of characters from the previous password allowed in the new password. A value of zero disables this setting.

    Minimum Lifetime

    Specify the minimum number of time that must pass between password changes. Value is in seconds. A value of zero disables this setting.

    Enable Word List

    Enable this option to check the password against the configured Word List.

    For more information, see Configuring the Word List Settings.

    Enabling Breach Database Check

    To increase the security of the password you must enable Breach Database Check. When enabled, the Self Service Password Reset performs an online validation for the user entered password against HaveIBeenPwned database, and allows only if it is not available in the database.

    Active Directory Password Complexity

    Select the Microsoft Active Directory style password complexity rules.

    Active Directory 2008 Password Complexity Maximum Violations

    Specify mber of Activethe maximum nu Directory 2008 Level Complexity category violations. This setting does not affect unless the Active Directory Password Complexity is set to AD 2008 Level Complexity.

    Required Regular Expression Matches

    Specify a Regular Expression pattern which the password must match for the system to allow it. You can list multiple patterns. A pattern must match the entire password for the system to apply it. SSPR ignores a partial match. You can use macros. Click Add Value to add a new value.

    Disallowed Regular Expression Matches

    Specify a Regular Expression pattern which the password must not match for the system to allow it. You can list multiple patterns. A pattern must match the entire password for the system to apply it. SSPR ignores a partial match. You can use macros. Click Add Value to add a new value.

    Disallowed Values

    Specify a case insensitive list of values SSPR does not allow the users to use as passwords. Click Add Value to add a new value.

    Disallowed Attributes

    Specify a list of attributes not allowed to be used as passwords. SSPR reads the values for a given user and does not permit the users to use them as part of the password value. This check is case-insensitive.

    For example: "Language:4" indicates the password cannot contain: "Engl", "ngli", "glis", or "lish", for English speaking users.

    NOTE:Specifying a number after the attribute name restricts how many consecutive characters SSPR disallows in the value.

    1. Click Add Value to add a new value.

    Minimum Password Strength

    Specify the strength of the passwords. SSPR examines the password strengths on a scale of 0 to 100 irrespective of other password policy settings. This setting requires that the users have a password that meets the minimum strength level specified here, regardless of other password policy rules. "Good" is 45 or better while 70 or better is considered "strong." A value of 0 disables this setting.

    Maximum Consecutive Characters

    Specify the maximum amount of characters in a sequence, such as 0123456789 or abcdefghijk. SSPR defines a more specific character sequence by the Unicode character order of each character after it converts the entire value to lowercase. A value of 0 disables this setting.

    Password Change Message

    Specify a message SSPR displays to the users during password changes. Might include HTML markup. You can override this setting by adding a change password message read as part of an LDAP password policy. Click Add Value to add a new value.

    Password Rule Text

    When blank, SSPR displays an automatically generated rule list to the user. The automated rule list may not be inclusive of all settings in the password policy. Some of the more esoteric or difficult to communicate rules do not appear in the automatically generated list. This is done in an attempt to not overwhelm the users with having to read and parse the rules before attempting to change their passwords. Should the user type a password that conflicts with such a rule - the per-keystroke rule checker provides direct feedback to the user on how to correct the problem.

    If you do not want the automatically generated rule list, you can override it by setting a value here. The field permits HTML tags. Click Add Value to add a new value

    Disallow Current Password

    Enable this option to prevent the current password from being used as a new password.

    NOTE:SSPR can only enforce this if the login method permits the user's password to be known.

    Minimum Character Groups Required

    Specify the number of regular expression matches defined in the setting Policies > Password Policies > [profile] > Character Group Definitions.

    Character Group Definitions

    Add an LDAP filter that contains a list of regular expression character matches. Along with the setting Policies > Password Policies > [profile] > Minimum Character Groups Required, this setting allows creating a complex list of requirements that the user only needs to partially match. For example, you can use this type of policy to replicate the Active Directory "3 out of 5" rules, but with more flexibility and customization.

    1. Click Add Value to add a new value.

  6. In the toolbar click, Save changes.

7.2.2 Configuring the Word List Settings

To increase the security of the passwords you must define a word list. A word list is a predefined password dictionary that Self Service Password Reset checks against the text that users set as their passwords. Self Service Password Reset does not allow a password if that text is available in the word list. The word list is a ZIP file containing one or more plain text files with one word per line. Regular expressions are not allowed in the word list file.

To configure the word list:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor > Policies > Password Policies > default.

  4. Ensure that Enable Word List is selected.

  5. Upload the word list in one of the following ways:

    1. Using a Web Server

    2. Using the User Interface

  6. Click Save changes in the toolbar.

To verify the size of the word list, click Configuration Manager > Wordlist. The Word Count displays the size of the word list available in the text file.

After you add or remove words from the word list to view the updated word count, click Configuration Editor > Wordlist > Clear Wordlist.

Updating the Word List

You can add few more words that you do not want to allow as password to the word list. To update the word list, perform one of the following:

Customize the Existing Word List

  1. Download the wordlist.zip file from one of the following paths according to your setup:

    • Appliance: /var/lib/docker/overlay2/c25d96dc05d02d3f3159889fa78d9e2e2fe44393b67a1ca257e14079d84d6d36/merged/root/.sspr-workpath/work-sspr-8443/war/WEB-INF/

    • Linux: /srv/tomcat/webapps/sspr/WEB-INF/

    • Windows: C:\Program Files\NetIQ Self Service Password Reset\apache-tomcat-8\webapps\sspr\WEB-INF

  2. Extract the wordlist.txt file.

  3. Add the words that you do not want to allow as password in the text file. Ensure that one word is specified per line.

  4. Save the text file and compress the wordlist folder to the .zip format.

  5. Continue with Uploading the Word List.

Create a Word List

  1. Create the wordlist.txt file.

  2. Add the words that you do not want to allow as password in the text file. Ensure that one word is specified per line.

  3. Save the text file within the folder wordlist.

  4. Compress the word list folder to the .zip format.

  5. Continue with Uploading the Word List.

Uploading the Word List

NOTE:It is recommended to save the wordlist.zip on an HTTP server, and configure URL of the file location in SSPR. This will restore the word list as per your requirement even after the upgrade.

You can upload the updated or new word list in one of the following ways:

Using a Web Server

You can save the wordlist.zip file in any of the web server and save the file location URL for further reference. Perform the following steps to set the word list file URL in SSPR:

  1. Click Configuration Editor > Settings > Word Lists.

  2. Specify the URL of the text file in Word List File URL.

  3. Click Save changes in the toolbar.

Using the User Interface

To upload the wordlist.zip file through the user interface, perform the following steps:

  1. Click Configuration Manager > Word Lists.

  2. Click Upload Word List.

  3. Click Choose File and select the wordlist.zip from your local drive.

  4. Click Upload.