10.2.1.2. Password policies

Password policies limit the set of acceptable passwords with the intention to maximize password security while keeping usability on a reasonable level.

Password policy checks

  • IAM can check passwords for the following properties:
  • Length (minimum and maximum)
  • Allowed, forbidden and required sets of characters
  • Minimum password age (to prevent to frequent password changes)
  • How easy passwords are to guess
  • Password history

Password policy enforcement

Password policies can be enforced in the following situations:

  • User self-registration
  • Password change (voluntary or mandatory)
  • Password-reset self-service
  • Password generation
  • Login: users may be forced to change the password if it does no more meet the policy.

Password policy configuration

Password policies can be configured in different ways:

  • Using plugin Simple Password Policy: Password policy that allows configuring the most common password policy checks.
  • Using plugin Customizable Password Policy: allows flexible arbitrary combinations of policy checks.
  • Using plugin Active Directory Password Policy: password policy is enforced by external MSAD.