|
|
|
Note: To set password restrictions, Identity Manager must integrate with SiteMinder. See the Implementation Guide for more information.
Using password policies, you can place restrictions on password usage. The restrictions include how long a user must wait before reusing a password and how different the password must be from ones previously selected. You can also prevent users from specifying words that you determine are a security risk or contain users’ personal information.
The Restriction section includes the following fields:
Determines how many days a user must wait before reusing a password.
Determines how many passwords must be used before a password can be reused.
Note: If you specify a length of time and number of passwords, both criteria must be satisfied before a password can be reused. For example, you can configure a password policy which requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if only six passwords have been used, another six would have to be used before the user can reuse the first password.
The percentage of characters a new password must contain that differ from characters in the previous password. If the value is set to 100, the new password may contain no characters that were in the previous password, unless Ignore sequence when checking for differences is deselected. For examples of how this parameter works with Ignore sequence when checking for differences, see the following table.
Ignores the position of the characters in the password when determining the percentage.
For example, if a user’s initial password is BASEBALL12 and the Ignore sequence when checking for differences check box is selected, a user cannot choose 12BASEBALL as the new password. If the check box is deselected, 12BASEBALL is an acceptable password because each letter occurs in a different position. For examples of how this parameter works with Percent different from last password, see the following table.
For increased security, Ignore sequence when checking for differences check box should be selected.
|
Passwords |
Percent different |
Ignore sequence |
Accepted |
|
|---|---|---|---|---|
|
BASEBALL12 (Old) 12BASEBALL |
0 |
Selected Deselected |
Y Y |
|
|
|
||||
|
BASEBALL12 (Old) 12BASEBALL |
100 |
Selected Deselected |
N Y |
|
|
BASEBALL12 (Old) 12SOFTBALL |
0 |
Selected Deselected |
Y Y |
|
|
BASEBALL12 (Old) 12SOFTBALL |
90 |
Selected Deselected |
N Y |
|
|
BASEBALL12 (Old) 12SOFTBALL |
100 |
Selected Deselected |
N N |
Configuring the Match Length field prevents users from using personal information in their passwords. The Match Length field determines the minimum sequence length the password policy compares to attributes in the user’s directory entry. For example, if this value is set to 4, Identity Manager checks to see that the password is not composed of the last four digits of the user’s telephone number.
Specifies a list of strings that cannot be used in passwords.
Note: The last line of the dictionary file used by Password Services must be followed by a carriage return or it will not be included in the dictionary search.
The Dictionary settings include the following fields:
The password includes a substring which starts with the same series of characters as a dictionary entry.
The number of consecutive matching characters is greater than or equal to the number specified in the Match Length field.
For example, consider a dictionary file that contains the following:
lion
tiger
bear
If the Match Length field is set to 4, the following will result:
"TeddyBear" will be rejected because Bear matches the bear entry in the dictionary file.
"prestige" will be rejected because "tige" matches the first four characters of the tiger entry in the dictionary file.
"Geiger Counter" will be accepted since "iger" does not include the first letter of the tiger entry in the dictionary file.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |