Table of Contents

Password policies

Password validation and generation depends entirely on the CzechIdM system. In the CzechIdM system, two kinds of policy may exist:

  1. for password validation,
  2. and for password generation.

Note that the password policies with the type GENERATE are used only for generating password! For maximum/minimum password age please use password policy for validation.

Policies and systems

Every system may have two policies - one for generation, and one for validation. If any of the two policies is missing, it is replaced by the standard policy of the CzechIdM system.

When creating a new account in the system, a new password is generated using the generation policy. After the account is successfully created, the password is sent in a notification to the user (by SMS, e-mail, …). Sending of this notification can be disabled by disabling the appropriate processor, i.e. setting the application property idm.sec.acc.processor.provisioning-send-notification-processor.enabled=false.

When changing the password for the systems, including the CzechIdM system, their validation policies are used, in case of absence of the validation policy for a system, the standard validation policy is used (if there is no standard validation policy, the password is always valid - see above).

Standard policies

One standard policy in CzechIdM

Each has its own specifications. In the whole CzechIdM, only one standard (default) policy of each kind may exist (generation/validation). When marking another policy as standard, the standard status of the previous standard policy will be canceled.

Separate policies for systems

Policies may be set separately for every system.

Standard policy for validation

If there is a standard validation policy in the CzechIdM system, it is used for password validation against the CzechIdM system and for all the other systems with no determined policy.

If a standard validation policy does not exist, validation of new passwords is turned off and passwords are always valid. Also, the "valid till" attribute is not filled.

Standard validation policy lets you validate your new password against “x” previous passwords, meaning the new one shouldn’t resemble these. Users with APP_ADMIN permission can skip this check.

Standard policy for password generation

The standard policy for password generation is primarily intended only for the generation of passwords used when setting up new identities in the CzechIdM system through the form. If no generation policy exists, a random password of 8 characters is generated.

Password generation

The CzechIdM system offers two possibilities of password generation: random and passphrase. Password generation takes places when creating a new user on the CzechIdg system. The password can be generated again using checkbox.

Validation

When changing the password for one or more systems, the password is validated for all the found policies. If only one policy for more systems is used, only one validation takes place. When complying with all the validation rules, the password is changed on all the marked systems. In case of non-compliance, validation message will be displayed - see further below.

The password is validated through policies and it always needs to comply with the highest (maximum) requirements, i. e. minimum number of characters, maximum number of characters, minimum number of numbers, minimum number of upper-case characters, minimum number of special characters. In case the requirements of two policies turn out to be contradictory (e.g. the minimum number of characters of one policy is lower than the maximum number of characters of another policy), and so the password WILL NEVER BE marked as valid, then it is the task of the CzechIdM system administrator to remedy the situation.

The change of password can also be impossible due to minimum validity of the password - this piece of information is verified when validating the password.

Advanced password control

As a part of the password check, it is possible to turn on an advanced check. Within the advanced check, you can set which identity attributes (PasswordPolicyIdentityAttributeEnum) are verified for the similarity of passwords - e.g. when there is a correspondence between the name and the password, the password is marked as invalid.

Mandatory rules

The main part of the advanced check of the password is the option to set up which of the rules are mandatory, and which are not. The control mechanism is as follows:

To each of the rules (see the rules list below), you may assign the feature saying whether the rule is mandatory or not. If the rule is marked as mandatory, it must be always satisfied. In case the rule is not mandatory, the number of satisfied optional rules must be higher or equal to the minimum feature of the rules to comply with the policy. For a better understanding, you can read the description of the following UseCase, including the settings.

UseCase

The administrator of the CzechIdM system has set up that the passwords must always include at least one number, the number of password characters amounting exactly to 8 characters. Then it must contain one special character, or two upper-case characters - it doesn´t matter which one of the two rules will be met.

Basic policy settings:

To satisfy the requirement of the password having at least one special character, OR two upper-case characters, an advanced check with the following settings will be used:

The validation messages with an unmet advanced check of the password looks as follows:

Password change & old password

When users want to change their password in IdM, they are required to fill their old password (unless the configuration attribute requireOldPassword is set differently, see below). It's possible that their local password in CzechIdM is distinct from their password in end systems. In that case, users must use the password which satisfies the authentication chain (the same authentication chain that is used during authentication - same rules, same order of processing). If the (old) password is validated successfully, users can change their password.

The configuration attribute idm.pub.core.identity.passwordChange.requireOldPassword= determines whether the users are required to fill in the old password when changing their password. The possible values are: