Secure > Enhance site security
Set up a password policy
The Password Policy page of the Administration Console allows you to control a user's password selection in order to define the characteristics of the password to ensure that it complies with the security policy for the site. This page lists all existing password policies including any predefined ones supplied with WebSphere Commerce by default.
A password policy defines attributes with which the password must comply:
- Whether the user ID and password can match.
- Maximum occurrence of consecutive characters.
- Maximum instances of any character.
- Maximum lifetime of the passwords.
- Minimum number of alphabetic characters.
- Minimum number of numeric characters.
- Minimum length of password.
- Number of previous passwords to check against when the user selects a new password.
You can manage password policies...
- You can create a new password policy by clicking New.
- You can change the characteristics of an existing password policy by selecting the policy in the list and clicking Change.
- You can delete an existing policy by selecting the password policy in the list and clicking Delete.
Procedure
- Open the Administration Console and select Site on the Administration Console Site/Store Selection page.
- Click Security > Password Policy. The Password Policy page is displayed.
- Click New to create a new password policy.
- Enter a name for the password policy in the Name field (for example, my_password_policy).
- Update the following as required to modify any of the values from the default value for customers:
Option Description Can the userID and password match? Defines whether the userID and password can be identical or not. Select either Yes or No from the list. Maximum consecutive character types Defines the maximum occurrence of consecutive characters in a password. The minimum value is 2 consecutive characters. For example, with a value of 2, a user cannot enter a password such as aaabc. Maximum instances of any character. Defines the maximum number of times the same character can appear in a password. The minimum value is 1 instance of a character. For example, with a value of 2, a user cannot enter a password such as abcaabc. Maximum lifetime of the passwords. Defines the maximum amount of time, in days, that a password can exist. The minimum value is 1 day. After this time period, a user is prompted to change their password. Minimum number of alphabetic characters Defines the minimum number of alphabetic characters that need to be in a password. The minimum value is 0 alphabetic characters. Minimum number of numeric characters Defines the minimum number of numeric characters that need to be in a password. The minimum value is 0 numeric characters. Minimum length of password Defines the smallest length of a password, in characters. The minimum value is 1 character. Numbers of passwords that are kept in password history Defines the number of previous passwords to check against when the user selects a new password. By default, when you create a new password policy, a user's four previous passwords cannot be reused.
- Click OK.
Notes:
See Default authentication policies for additional information.
- You cannot delete a password policy if it is in use (that is, a user is assigned to the password policy).
- Password policies are enforced only if users are authenticated against the WebSphere Commerce database.