tutorial:adm:password_policy

Passwords - policies and their configuration

A password policy determine, which rules must be met by new passwords either changed by users or generated by CzechIdM itself.

A new password policy can be created in the tab Settings → Password policies.

There, in the table on the right, there is a list of created policies. A new policy is created by clicking on the green button Add.

The following basic attributes of a password policy can be filled in:

  • Type – CzechIdM allows defining 2 policy types for passwords used by users in CzechIdM and connected systems.
    • Validation – This policy is used when a password (in CzechIdM or a password to an administered system supporting the setting of password) is set or changed, e.g., when a user performs a password change in the GUI of CzechIdM.
    • Generation – This policy is applied when the user sets or changes the password using the password generator in CzechIdM, i.e. the user lets CzechIdM to generate the password according to this policy.
  • Name – the desired name of the policy. This name is displayed in the settings of the systems where the policy is to be applied.
  • Inactive – An inactive policy is not offered in the system configuration.
  • Standard policy – The standard policy is used for password validation against the CzechIdM system and it also validates all passwords on systems where no other policy is defined.
  • Description – optional description of the policy. It is convenient to summarize the basic policy rules in it.
  • Type of generating - can be chosen from these types: random, passphrase and prefix/suffix
    • Random - random generated password,
    • Passphrase - random generated words by internal dictionary.
  • Minimum length – determines the minimum number of characters in a password
  • Maximum length – determines the maximum number of characters in a password
  • Prefix - prefix is a string that will be added at the beginning of a newly generated password. Beware that final length and another settings may be not passed with password policy settings.
  • Suffix - suffix is a string that will be added at the end of a newly generated password. Beware that final length and another settings may be not passed with password policy settings.
  • Minimum number of uppercase letters – determines the number of upper-case characters which the password must contain. The set of characters is defined in the tab Characters.
  • Minimum number of lowercase letters – determines the number of lower-case characters which the password must contain. The set of characters is defined in the tab Characters.
  • Minimum number of digits - determines the number of numerals which the password must contain. The set of characters is defined in the tab Characters.
  • Minimum of special characters - The set of characters is defined in the tab Characters.
  • Maximum time for password change – The number of days of password validity. This attribute is important mainly in the Standard policy, which is applied for CzechIdM
  • Minimum number of days for password validity. The number of days when the password cannot be changed. Sparsely used option.

The policy can be saved by clicking Save and continue, or advanced options can be set in the form menu Enhanced control, where the following options can be set:

  • Enabled – enables the whole form for extended checking
  • Requirement checkboxes – contains a set of 5 checkboxes. Every checked checkbox must be always fulfilled. If an option is not checked, then the item is counted in the next point.
  • Minimum number of additional rules for policy – If a number is defined, then the minimum number of rules fulfilled must be the same as the number of those which were not marked as required in the previous point. For example, if all the 5 checkboxed required are checked and the value of 4 is filled in this box, then the password must fulfill at least 4 out of the 5 rules.
  • User attributes not allowed in password – In this box, you can select user’s attributes which will be checked for similarity with the password. For example, if the attribute user name is set, then the user’s password must not contain his login.

In the tab Characters, there are sets of characters for individual groups – lower-case characters, upper-case characters, numerals, special characters.

In addition, it can be set here which characters will be forbidden in the policy. This is important mainly for policies of password generation. Also, automatically generated passwords are usually sent by SMS or mails and the way some characters are displayed can confuse the user, e.g., similarities of ‘I’ and ‘l’ or ‘,’ and ‘.’. Sometimes it is convenient to prohibit also characters ‘y’ and ‘z’ for generating due to different layouts of users’ keyboards.

In the last tab Connected systems, you can see a list of systems where the policy is currently set.

Be careful if the policy is set to be a Standard policy, it is then applied in all locations where there is no other policy, i.e. this list can be empty yet the policy is still applied on some systems.

The preparation of a password policy was introduced in the previous section. If a policy has been marked as a Standard policy, then this policy is now active for both CzechIdM and all administered systems where a policy has not been chosen yet.

Otherwise, a policy needs to be set for the system. This is done in the system detail. The detail can be accessed via the menu Connected systems → system detail (magnifying glass) → Basic information where password policies can be selected.