RapidIdentity Product Guide: New UI

Password Policy Manager

The Password Policy Manager allows administrators to define password policies to ensure that passwords comply with the following criteria:

  • Syntax

  • Restricted Password Values

  • Avoidance of Breached Passwords

From the Configuration menu, choose Authentication under Policies, and click Password in the left menu. This will display the Default Password Policy.

The four available tabs on this screen are General, Password Syntax, Restricted Passwords, and Password Screening. Each tab has a different set of options for System Administrators to use to define policies surrounding the types of passwords that users must create.

General Tab
Password_Policy_2020a_General.jpg
Table 71. Password Policy Manager - General Tab

Section

Field

Description

General

Name

Give the policy a name that makes the policy easy to identify.

Description

This will be the information displayed to the user when they are prompted to create a password. Administrators can use basic HTML formatting to ensure the message is easy to read and understand.

Enabled

Select this checkbox to enable the policy for all applicable users.

Default Policy

Select this checkbox to ensure this policy is the default.

Affected Users

Access Control

Choose how or if to limit access to the policy. More information on RBAC and ABAC filtering is available in Configuring Module Visibility. This field defaults to None.

Note

This section only appears when the selected policy is not the default policy.

Password Reset

Allow Password Reset to Attribute Value

Select this checkbox to enable users to use various attributes as passwords.

Allow Random Password Generation

Select this checkbox to allow passwords governed by this policy to be reset to random values when performing delegated or self-service password reset.

Default for "User Must Change Password At Next Login"

Select this checkbox to enforce whether the "User Must Change Password At Next Login" option is automatically selected when delegated administrators or self-service users change the password for users associated with this policy.



Password Syntax Tab
Password_Policy_2020a_Syntax.jpg
Table 72. Password Policy Manager - Password Syntax Tab

Section

Field

Description

General

Password Length

Define the minimum and maximum number of characters required for the current Password Policy.

Note

Setting the minimum length to 0 means RapidIdentity will not enforce a minimum length, and setting the maximum length to 0 means RapidIdentity will not enforce a maximum length for new passwords for users within this policy.

If both values are greater than zero, the Minimum Length character count must be less than or equal to the Maximum Length character count.

Regular Expression for Allowed Characters

Insert a string to enforce further password complexity rules as needed. This can force include or force exclude certain characters at the creation of password for users that qualify for this policy.

Character Sets to Meet

Number of Character Sets as defined in the next section that the password must meet to match the requirements of this policy.

Meet AD Complexity Requirements

Pressing this button changes the Password Length Minimum to 7 and Character Sets to Meet to 3. These are the default Password Complexity requirements as set by the AD industry standard.

Character Sets

Uppercase Letters

Define the minimum and maximum number of Uppercase Letters (A-Z) that must be included.

Lowercase Letters

Define the minimum and maximum number of Lowercase Letters (a-z) that must be included.

Numbers

Define the minimum and maximum number of Numbers (0-9) that must be included.

Special Characters

Define the minimum and maximum number of Special Characters (!"#$%&'()*+,-./:;=?@[\]^_`{|}~) that must be included.

Unicode Characters

Define the minimum and maximum number of Unicode Characters that must be included.



Restricted Passwords Tab
Password_Policy_2020a_Restricted.jpg
Table 73. Password Policy Manager - Restricted Passwords Tab

Section

Field

Description

Match by Text

Case Sensitive Match

Check this box to enforce case sensitivity against any Restricted Passwords defined below.

Full Match

Check this box to restrict any phrases that fully match any of the Restricted Passwords defined below.

Restricted Passwords

Click +Add Another to include any words and phrases that are to be restricted from use in a user's password.

Match by Regular Expression

Restricted Passwords

Click +Add Another to include any regular expressions that are to be restricted from use in a user's password.

Match by Attribute Value

Case Sensitive Match

Check this box to enforce case sensitivity against any Restricted Attribute Values defined below.

Full Match

Check this box to restrict any Attributes that fully match any of the Restricted Passwords defined below.

Meet AD Complexity Attribute Exclusions

Check this box to enforce AD industry standard complexity requirements when using Attributes to build a user's password.

Restricted Passwords

Click +Add Another to include any Attributes that are to be restricted from use in a user's password.



Password Screening Tab
Password_Policy_2020a_Screening.jpg
Table 74. Password Policy Manager - Password Screening Tab

Section

Field

Description

Password Screening

Enabled

Click this checkbox to enable password screening. When enabled, the password the user chooses will be screened against a database of compromised passwords and the user will be required to pick another.

Screening Service

Currently, there is only one service available within RapidIdentity, and it defaults to the Have I Been Pwned screening service. This service checks to see whether the password the user has chosen has recently been involved in a data breach, and automatically blacklists any of those reported.

Error Message

When the Password Screening feature is enabled, the Error Message displayed to the user becomes editable from the default text. You may change it to include instructions on changing the user's password or leave it as is. When prompted, the error message will appear to the user as shown below.

User_Sees.png