Password Policies › Create a Password Policy › Set Password Restrictions

Set Password Restrictions

You can place restrictions on password usage. The restrictions include how long a user must wait before reusing a password and how different the password must be from ones previously selected. You can also prevent users from specifying words that you determine are a security risk or contain personal information.

Note: This setting requires additional configuration. See Enable Additional Password Policies.

The Restriction section includes the following fields:

Minimum number of days before reuse

Determines how many days a user must wait before reusing a password.

Minimum number of passwords before reuse

Determines how many passwords must be used before a password can be reused.

Note: If you specify a length of time and number of passwords, both criteria are satisfied before a password can be reused. For example, you can configure a password policy which requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if only six passwords have been used, another six are used before the user can reuse the first password.

Percent different from last password

Specifies the percentage of characters a new password is required to contain. You can set the value to 100. In this case, the new password cannot contain characters that were in the previous password.

Ignore sequence when checking for differences

Ignores the position of the characters in the password when determining the percentage.

For example, with an initial password is BASEBALL12 and the Ignore sequence when checking for differences check box is selected, 12BASEBALL is not acceptable. With the check box deselected, 12BASEBALL is an acceptable password because each letter occurs in a different position.

For increased security, Ignore sequence when checking for differences check box is selected.

Profile Attributes

Configuring the Match Length field prevents users from using personal information in their passwords. The Match Length field determines the minimum sequence length the password policy compares to attributes in the directory entry. For example, if this value is set to four, CA Identity Manager verifies that the password does not include the last four characters of the user profile attributes, for example, last name or telephone number.

Dictionary

Specifies a list of strings that cannot be used in passwords.

Note: A carriage return follows The last line of the dictionary entry.

The Dictionary settings include the following fields:

• Path--Contains the full path and name of the dictionary file.
• Match Length--Controls the length of strings that are compared against values in the dictionary file. The comparison ignores the case of the strings. You can leave the Match Length field blank or can set it to zero. In these cases, CA Identity Manager only rejects passwords that match a string in the dictionary exactly. When the match length is greater than zero, CA Identity Manager rejects entries during the following conditions:
  • The password includes a substring which starts with the same series of characters as a dictionary entry.
  • The number of consecutive matching characters is greater than or equal to the number specified in the Match Length field.

  For example, consider a dictionary file that contains the following entries:

  • lion
  • tiger
  • bear

  When the Match Length field is set to four results in the following actions:

  "TeddyBear", rejected because Bear matches the bear entry in the dictionary file.

  "prestige", rejected because "tige" matches the first four characters of the tiger entry in the dictionary file.

  "Geiger Counter", accepted since "iger" does not include the first letter of the tiger entry in the dictionary file.