Credential Policies
Credential Policies define a set of rules that are applied when setting and/or verifying a password. Multiple policies can be defined in the system and associated with Credential Managers as needed.
Some components in the system that handle user credentials, namely the HTML Forms Authenticator , adapt their interface/behavior based on the Credential Policy of the associated Credential Manager. For example, when a user is setting a new password, the complexity requirements defined in the policy are presented to the user.
Rules#
Rules may apply on credential verification, when setting a new password, or both. All enabled rules must accept the credential operation for it to go through in the system.
The following sections define the available rules that can be enabled in a credential policy.
Complexity#
- Validation of password complexity rules, such as the minimum length or the number of characters of a given type.
- This rule is applied when a new password is being set. The operation is rejected if the attempted password doesn’t meet the configured criteria.
History#
- Validation of previously used passwords, i.e. of the number of unique passwords that must be used before one can be reused.
- This rule is applied when a new password is being set. The operation is rejected if the attempted password is among the last used passwords.
Temporary Lockout#
- Applies a temporary lockout period after a given number of consecutive failed verification attempts.
- The counter of failed attempts is reset after a successful verification or after some time has elapsed since the last failed attempt (same duration as the configured lockout period).
- This rule is applied during password verification. If the temporary lockout period is active, the operation is rejected before the password is actually verified using the configured data source.
Aging#
- Validation of the maximum password age, forcing users to periodically change passwords.
- This rule is applied during password verification. If the provided password is correct but it is too old, the operation is rejected.
- When a new password is set, the current instant is captured and used to determine the password age during verification.
Force Reset#
- Require that the user reset their password the next time they attempt to login.
Dictionary#
- Check if passwords are found in a dictionary/list of common passwords.
- The dictionary file is shared by all policies using this rule and must be located at
$IDSVR_HOME/etc/password-dictionary.txt. - The dictionary file is loaded into memory for performance, so some care should be taken with its size. Note that this rule is meant to check for common words, not to check large datasets of compromised passwords.
- The dictionary file is shared by all policies using this rule and must be located at
- This rule is applied when a new password is being set. The operation is rejected if a match is found in the dictionary.
- In addition to the provided password, the following variations are also checked (cumulative):
- Reversed value.
- Remove up to a given number of characters from the start/end of the password (optional).
- All dictionary checks are case insensitive.
As an example, if the dictionary contains curity and the rule is configured to remove up to 2 prefix or suffix characters, then:
- The following passwords are rejected:
curity,cuRIty12,21ytiruc,!curity. - The following passwords are accepted:
password,curity123,XYZcurity,1curity2.
Managing Rules State#
System administrators may modify the state of a user’s credentials policy rules via the User Management GraphQL API .
This allows, for example, clearing the history of passwords for a particular user, removing/updating the user’s password age, or explicitly forcing the user to reset their password.