3.5 Configuring Password Policy

SSPR lets you configure policies to increase security by setting rules for how users create their passwords. You can apply an SSPR password policy to all users in the following two ways:

  • Apply only the SSPR policy

  • Apply only the LDAP policy

  • Merge the SSPR policy with the LDAP policy

When you merge the SSPR policy with the LDAP policy, SSPR reads both policies. If both policies conflict with each other, SSPR chooses the most restrictive policy.

SSPR checks the text that a user set as their password and does not allow if that is available in the predefined password dictionary Wordlist. The Wordlist is a ZIP file containing one or more plain text files with one word per line.

SSPR allows storing the shared password history for all users, which provides more security. You can also configure profile specific password policy. For more information on profile specific password policy, refer Section 5.2, Configuring Password Policy for a Profile

To configure a password policy, perform the following steps:

  1. In Configuration Editor, click Settings > Password Settings.

  2. Click View > Always Show Advanced Settings to see and configure the advanced settings.

  3. Configure the following settings:

    Field

    Description

    Password Policy Source

    Select any one of the following:

    LDAP: SSPR reads the LDAP password policies. If you select this option, SSPR ignores some of the SSPR password policy settings.

    Local: SSPR reads the SSPR policies. If you select this option, SSPR ignores any policy settings of the LDAP directory

    Merge Local and LDAP: SSPR reads both policies. If any conflict between these policies, SSPR chooses the most restrictive value of the policy.

    Wordlist File

    Specify a Worldlist to prevent users from using commonly used words as passwords. This is an important part of the password security. The default Wordlist contains commonly used English words that an intruder may use to break the password.

    A new Wordlist setting takes some time to compile the Wordlist into a database. The Wordlist file format is one or more text files containing a single word per line, enclosed in a ZIP file.

    Enable Shared History

    Select this check box if you want to enable a global shared password history for all users on Main Menu. If enabled, all users share a common password history. This helps prevent usage of common organizational words in passwords. The system stores passwords as a salted and encrypted hash in the local database.

    Wordlist Case Sensitivity

    Select this check box if you want to use the Wordlist as case-sensitive for all matches. Changing this value causes wordlist re-compilation.

    Password is Case Sensitive

    Select the required option from the following list that controls the use of case sensitive password:

    • Read from Directory

    • True (Case Sensitive)

    • False (Case Sensitive)

    Shared History Age

    Specify the maximum age of the shared history storage in seconds. Default value is four weeks (2419200 seconds)

    Wordlist Word Size Check

    Specify the number of characters in a word that is checked against the configured Wordlist.

    For example, if the word to be checked is Wordlist and this setting is set to 6, then the system checks these combinations wordli, ordlis, and rdlist against the configured dictionary. If any of these values match, then the entire value is considered to match the Wordlist. If this value is set to zero or the word to check is smaller than the value specified here, then only the entire Wordlist checked.

  4. Click Actions > Save.