Set up a password policy

The Password Policy page of the WebSphere Commerce Administration Console allows you to control a user's password selection in order to define the characteristics of the password to ensure that it complies with the security policy for your site. This page lists all existing password policies including any predefined ones supplied with WebSphere Commerce by default.

A password policy defines attributes with which the password must comply:

• Whether the user ID and password can match.

• Maximum occurrence of consecutive characters.

• Maximum instances of any character.

• Maximum lifetime of the passwords.

• Minimum number of alphabetic characters.

• Minimum number of numeric characters.

• Minimum length of password.

• Whether the user's previous password can be reused.

• Number of previous passwords to check against when the user selects a new password.

You can manage password policies as follows:

• You can create a new password policy by clicking New.

• You can change the characteristics of an existing password policy by selecting the policy in the list and clicking Change.

• You can delete an existing policy by selecting the password policy in the list and clicking Delete.

• The number of old passwords to check against in the password history can only be changed by modifying the value of the column directly, using SQL. The number of old passwords to keep is configured through the database. For example, this query sets the number of old passwords to check against to four

  update PLCYPASSWD set REUSEPASSWORD=-4 where PLCYPASSWD_ID = (select 
  PLCYPASSWD_ID from PLCYPWDDSC where DESCRIPTION='<name of the password policy>')
  
  
  

  the number to set is a negative integer.

1. Open the Administration Console.

2. Click Security > Password Policy.

3. On the Password Policy page, click New to create a new password policy.

4. Enter a name for the password policy in the Name field (for example, my_password_policy).

5. Update the following as required to modify any of the values from the default value for customers:

   • Can the userID and password match? Defines whether the userID and password can be identical or not. Select either Yes or No from the list.

   • Maximum consecutive character types. Defines the maximum occurrence of consecutive characters in a password. The minimum value is 2 consecutive characters. For example, with a value of 2, a user cannot enter a password such as aaabc.

   • Maximum instances of any character. Defines the maximum number of times the same character can appear in a password. The minimum value is 1 instance of a character. For example, with a value of 2, a user cannot enter a password such as abcaabc.

   • Maximum lifetime of the passwords. Defines the maximum amount of time, in days, that a password can exist. The minimum value is 1 day. After this time period, a user is prompted to change their password.

   • Minimum number of alphabetic characters. Defines the minimum number of alphabetic characters that need to be in a password. The minimum value is 0 alphabetic characters.

   • Minimum number of numeric characters. Defines the minimum number of numeric characters that need to be in a password. The minimum value is 0 numeric characters.

   • Minimum length of password. Defines the smallest length of a password, in characters. The minimum value is 1 character.

   • Can the password be reused? Defines whether a user's previous password can be reused. Select either yes or no from the list.

   

   By default, when you create a new password policy, a user's four previous passwords cannot be reused.

6. Click OK.

Notes:

1. You cannot delete a password policy if it is in use (that is, a user is assigned to the password policy).

2. Password policies are enforced only if users are authenticated against the WebSphere Commerce database.

Also see Default authentication policies for additional information.

 

Related Concepts

Authentication policies

 

Related tasks

Set up an account policy
Set up an account lockout policy
Enhancing site security