Password policies

A password policy defines the password strength rules used to determine whether a new password is valid.

A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be 5. The rule might also specify that the maximum number of characters must be 10.

A password policy sets the rules that passwords for a service must meet, such as length and type of characters allowed and disallowed. Additionally, the password policy might specify that an entry is disallowed if the term is in a dictionary of unwanted terms. To select this choice in the user interface, you must first load a dictionary.ldif file into ISIM.

We can specify the following standards and other rules for passwords.

• Minimum and maximum length
• Character restrictions
• Frequency of password reuse
• Disallowed user names or user IDs
• Specify a minimum password age

• If password synchronization is enabled, the administrator must ensure that password policies do not have any conflicting password strength rules. When password synchronization is enabled, Security Identity Manager combines policies for all accounts that are owned by the user to determine the password to be used. If conflicts between password policies occur, the password might not be set.

  We might need to coordinate the password strength rules for the services. The first password strength rule might specify a minimum number of eight characters. Another password strength rule might specify a maximum number of six characters for a password. You must resolve such conflicts to enable a user to log on successfully.

• Some sites with a service such as AIX might require longer passwords for users who have root authority. We might set a value for the minimum length of a password that is shorter than the default password on the AIX server. The shorter value might cause some users with root authority to enter a password that is shorter than required, causing authentication failure.

• Create a password policy
  An administrator can create a password policy for use with one or more services. For example, you might create a password policy that specifies a rule that a character can be repeated no more than three times in a password.
• Add targets to a password policy
  An administrator can add targets to an existing password policy.
• Create a password policy rule
  Administrators can create a rule for an existing password policy. For example, you might create a rule that specifies the minimum number of numeric characters for a password.
• Change a password policy
  An administrator can change a password policy to meet the requirements of our organization for passwords. For example, you might change a password policy to set the minimum and maximum characters required for the password.
• Change targets for a password policy
  An administrator can change targets for an existing password policy.
• Change a password policy rule
  An administrator can change a password policy rule. For example, you might change or remove the settings for an existing rule.
• Deleting a password policy
  An administrator can delete a password policy that is no longer needed to control password entries.
• Customized password rules
  We can use ISIM server to add customized logic for generating passwords. To add the logic you can use a customized rule, a customized generator, or a combination of both.

Parent topic: Policy administration