A password policy is a set of rules defining what sequence of characters constitutes an acceptable password. Acceptable passwords generally are too complex for users or automated programs to generate or guess.
Password policies set requirements for password length, character sets that passwords must contain, dictionary words and other values that passwords must not contain. Password policies also require that users not reuse old passwords, and that users change their passwords on a regular basis.
OpenIDM enforces password policy rules as part of the general policy service. For more information about the policy service, see Using Policies to Validate Data. The default password policy applies the following rules to passwords as they are created and updated:
-
A password property is required for any user object.
-
The value of a password cannot be empty.
-
The password must include at least one capital letter.
-
The password must include at least one number.
-
The minimum length of a password is 8 characters.
-
The password cannot contain the user name, given name, or family name.
You can remove these validation requirements, or include additional requirements, by configuring the policy for passwords. For more information, see Configuring the Default Policy.
The password validation mechanism can apply in many situations.
- Password change and password reset
-
Password change involves changing a user or account password in accordance with password policy. Password reset involves setting a new user or account password on behalf of a user.
By default, OpenIDM controls password values as they are provisioned.
To change the default administrative user password,
openidm-admin, see the procedure, To Replace the Default User and Password, for instructions. - Password recovery
-
Password recovery involves recovering a password or setting a new password when the password has been forgotten.
OpenIDM provides a self-service end user interface for password changes, password recovery, and password reset. For more information, see Managing Passwords With the UI.
- Password comparisons with dictionary words
-
You can add dictionary lookups to prevent use of password values that match dictionary words.
- Password history
-
You can add checks to prevent reuse of previous password values
- Password expiration
-
You can configure OpenIDM to call a workflow that ensures users are able to change expiring or to reset expired passwords.
