Construct Password Composition Policies

Password composition policies define the rules to which target account passwords must conform. Credential Manager allows you to define various password composition policies to ensure that passwords meet the unique security needs of your organization.
capam33
HID_PasswordPoliciesPanel
Password composition policies define the rules to which target account passwords must conform. Credential Manager allows you to define various password composition policies to ensure that passwords meet the unique security needs of your organization.
If no policy is set, the default password composition policy is applied. The default policy specifies a minimum length of four characters and a maximum length of 16 characters, with no character restrictions.
You assign password composition policies to target applications. When a user enters a password, the password is validated against the composition policy. Credential Manager also uses the password composition policy to generate random passwords.
Ensure that policies meet or exceed the minimum password composition policy that is required by the target account. Also, validate that the use of special characters in the policy is allowed by the target system. The policy must follow the password requirements of the target system. If not, a password update can fail because the target system prevents the update.
Review the following topics before configuring password composition policies:
2
Password Composition Rules
Password composition policies characteristics define the minimum requirements for passwords. Configurable password composition policies characteristics include:
Password Prefix:
A fixed sequence of characters that must start the password string.
Minimum Length:
Password length must be greater than or equal to this value.
Maximum Length:
Password length must be less than or equal to this value.
Minimum Iterations Before Reuse:
This rule dictates a previous number of passwords are available for reuse. For example, if you enter 3, then the current password and the previous password cannot be reused. However, the third previous password and older passwords can be reused. Entering 0 means that there are no restrictions; this password can always be reused. Use this setting with the
Minimum Days Before Reuse
setting to prevent the same password from being used twice. Credential Manager checks this setting only when updating a target account password.
Minimum Days Before Reuse:
This option prevents the reuse of any password that was used within the last specified number of days.
Maximum Password Age Enforcement: A password expires after this many days. The password is then considered expired. If you enable Automatically Update Expired Passwords (Settings, Credential Manager), Credential Manager updates the password. Use this setting with the
Minimum Iterations Before Reuse
setting to prevent the same password from being used twice. Credential Manager checks this setting only when updating a target account password.
Maximum Password Age Enforcement:
This setting determines whether Credential Manager adheres to the specified password age. If disabled, the password for the target account never expires.
Maximum Password Age Days:
This parameter specifies the maximum number of days a password is valid. The default value is 90 days. The password age is reset each time that the password is updated.
The
Password Expiry
date indicates the number of days from the last password update to the maximum password age. If the password expires at least one day in the future, the indicator is green. If the password expires on the current day, the indicator is yellow. If the password is already expired, the indicator is red.
Must Contain:
This setting indicates the types of characters that a password must contain.
  • At least one ASCII character set item
  • Each type of character that is selected must be included in the password
  • Each type of character that is not selected must be excluded in the password
First Must Contain:
This rule specifies the first character of each password from one of the types selected. Exactly one of the options is used.
Must Not Contain Rules:
This rule Identifies character patterns that the password must
not
contain. Options include:
  • Disallow Repeating Characters: Do not allow any adjacent matching characters. However, duplicate characters that are not adjacent are allowed.
    Example: AB
    CC
    DECFC. The letters that are crossed out are not allowed.
  • Disallow Duplicate Characters: Do not allow any matching characters.
    Example: AB
    C
    C
    DE
    C
    F
    C
    . The letters "C" after the first one are not allowed.
  • Characters to Exclude: Do not allow any character from a list that you specify
In addition to the configurable options, passwords cannot begin with the following characters:
  • {
    n
    }
    where
    n
    is any integer value; non-integer values are acceptable. For example, Credential Manager cannot manage
    {1}mypassword
    ,
    {999}anotherpassword
    but can manage
    {104.1}okpassword
    .
  • Passwords cannot begin or end with a space character. Credential Manager ignores a space character and does not save it.
Suggested Password Composition Policies
Password composition policies must comply with password requirements of the remote applications. For the following types of targets, we suggest the following password composition policies:
  • Databases and Windows systems:
    • Alpha and numeric characters, plus a special character, such as [!#[email protected]*]
    • A minimum length of six characters and a maximum length of 12 characters.
  • UNIX: Alphabetic characters (no mixed or numeric characters) with a length of eight characters.
Configure Password Composition Policies
You can create password composition policies with the UI or the CLI. Once you create password composition policies, you can then apply them to target applications.