You can place restrictions on password usage. The restrictions include how long a user must wait before reusing a password and how different the password must be from ones previously selected. You can also prevent users from specifying words that you determine are a security risk or contain personal information.
Note: This setting requires additional configuration. See Enable Additional Password Policies.
The Restriction section includes the following fields:
Determines how many days a user must wait before reusing a password.
Determines how many passwords must be used before a password can be reused.
Note: If you specify a length of time and number of passwords, both criteria are satisfied before a password can be reused. For example, you can configure a password policy which requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if only six passwords have been used, another six are used before the user can reuse the first password.
Specifies the percentage of characters a new password is required to contain. You can set the value to 100. In this case, the new password cannot contain characters that were in the previous password.
Ignores the position of the characters in the password when determining the percentage.
For example, with an initial password is BASEBALL12 and the Ignore sequence when checking for differences check box is selected, 12BASEBALL is not acceptable. With the check box deselected, 12BASEBALL is an acceptable password because each letter occurs in a different position.
For increased security, Ignore sequence when checking for differences check box is selected.
Passwords |
Percent different |
Ignore sequence |
Accepted |
|
---|---|---|---|---|
BASEBALL12 (Old) 12BASEBALL |
0 |
Selected Deselected |
Y Y |
|
|
||||
BASEBALL12 (Old) 12BASEBALL |
100 |
Selected Deselected |
N Y |
|
BASEBALL12 (Old) 12SOFTBALL |
0 |
Selected Deselected |
Y Y |
|
BASEBALL12 (Old) 12SOFTBALL |
90 |
Selected Deselected |
N Y |
|
BASEBALL12 (Old) 12SOFTBALL |
100 |
Selected Deselected |
N N |
Configuring the Match Length field prevents users from using personal information in their passwords. The Match Length field determines the minimum sequence length the password policy compares to attributes in the directory entry. For example, if this value is set to four, CA IdentityMinder verifies that the password does not include the last four characters of the user profile attributes, for example, last name or telephone number.
Specifies a list of strings that cannot be used in passwords.
Note: A carriage return follows The last line of the dictionary entry.
The Dictionary settings include the following fields:
For example, consider a dictionary file that contains the following entries:
When the Match Length field is set to four results in the following actions:
"TeddyBear", rejected because Bear matches the bear entry in the dictionary file.
"prestige", rejected because "tige" matches the first four characters of the tiger entry in the dictionary file.
"Geiger Counter", accepted since "iger" does not include the first letter of the tiger entry in the dictionary file.
Copyright © 2013 CA.
All rights reserved.
|
|