Previous Topic: Regular Expressions SyntaxNext Topic: Configure Advanced Password Options


Set Password Restrictions

You can place restrictions on password usage. The restrictions include how long a user must wait before reusing a password and how different the password must be from ones previously selected. You can also prevent users from specifying words that you determine are a security risk or contain personal information.

Note: This setting requires additional configuration. See Enable Additional Password Policies.

The Restriction section includes the following fields:

Minimum number of days before reuse

Determines how many days a user must wait before reusing a password.

Minimum number of passwords before reuse

Determines how many passwords must be used before a password can be reused.

Note: If you specify a length of time and number of passwords, both criteria are satisfied before a password can be reused. For example, you can configure a password policy which requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if only six passwords have been used, another six are used before the user can reuse the first password.

Percent different from last password

Specifies the percentage of characters a new password is required to contain. You can set the value to 100. In this case, the new password cannot contain characters that were in the previous password.

Ignore sequence when checking for differences

Ignores the position of the characters in the password when determining the percentage.

For example, with an initial password is BASEBALL12 and the Ignore sequence when checking for differences check box is selected, 12BASEBALL is not acceptable. With the check box deselected, 12BASEBALL is an acceptable password because each letter occurs in a different position.

For increased security, Ignore sequence when checking for differences check box is selected.

Passwords

Percent different

Ignore sequence

Accepted

BASEBALL12 (Old)

12BASEBALL

0

Selected

Deselected

Y

Y

 

BASEBALL12 (Old)

12BASEBALL

100

Selected

Deselected

N

Y

BASEBALL12 (Old)

12SOFTBALL

0

Selected

Deselected

Y

Y

BASEBALL12 (Old)

12SOFTBALL

90

Selected

Deselected

N

Y

BASEBALL12 (Old)

12SOFTBALL

100

Selected

Deselected

N

N

Profile Attributes

Configuring the Match Length field prevents users from using personal information in their passwords. The Match Length field determines the minimum sequence length the password policy compares to attributes in the directory entry. For example, if this value is set to four, CA IdentityMinder verifies that the password does not include the last four characters of the user profile attributes, for example, last name or telephone number.

Dictionary

Specifies a list of strings that cannot be used in passwords.

Note: A carriage return follows The last line of the dictionary entry.

The Dictionary settings include the following fields: