Managing Password and Lockout Policies

Endpoint Administration Guide for Windows › Managing User Passwords › Managing Password and Lockout Policies

Managing Password and Lockout Policies

Passwords are the most popular device for authentication, but password protection methods have well‑known problems: trivial passwords are easy to guess; passwords that last for years and cyclic passwords are eventually broken; and passwords sent in clear text over a network can be trapped by listeners.

Windows has a set of password rules and policies that force users to use passwords that avoid most of these common pitfalls. CA ControlMinder has additional rules that ensure that users select even more secure passwords.

You can specify the following rules in CA ControlMinder:

A new password cannot match previous passwords. The number of previous passwords that CA ControlMinder stores is specified in the password policy.
A new password cannot contain the user name.
A new password cannot contain the password that it is replacing.
A new password cannot match the password that it is replacing. CA ControlMinder disregards letter case.
A new password must have at least the minimum number of alphanumeric characters, special characters, digits, lowercase characters, and uppercase characters specified in the password policy.
A new password must not have more repetitive characters than is specified in the password policy.
A new password cannot be one of the restricted words in the dictionary included in CA ControlMinder. The dictionary is specified in the Dictionary value in the registry subkey:
```
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\passwd
```

Each password must have a maximum lifetime; that is, it must expire, forcing the user to choose a new password after a certain interval.

Each password must have a minimum lifetime. By specifying a minimum lifetime, you can prevent users from quickly and repeatedly changing passwords. With frequently changed passwords, they could overflow the password history stack and then re‑use a previous password.