Skip to main content

Password expiry detection

Bravura Security Fabric can detect when users’ passwords are about to expire on some target systems. It can also keep track of when their passwords will expire based on the last time the passwords were changed and Bravura Security Fabric password policies. Based on these criteria, Bravura Security Fabric can determine that it is time for users to change their passwords.

Note

If both the target system Check password expiry and Bravura Security Fabric password policy rule for password must be changed every N days are in effect, the earliest expiry time is used.

Bravura Security Fabric informs users of the upcoming expiry, and asks them to change all their passwords using Bravura Security Fabric , rather than changing individual passwords on the target systems as they expire. Bravura Security Fabric notifies users either by email, or by opening the user’s browser to an informative page during network login.

Initial considerations

To determine the best solution for expiry notification, answer the following questions:

  1. Where is the expiry information coming from?

    You can gather a list of soon-to-expire users from:

    • One or more target systems

      In most environments, password aging is already implemented on one or more target systems. Using target systems as the source means that users’ scheduled will not be interrupted.

    • The Bravura Security Fabric database

      The Bravura Security Fabric password policy rule for password must be changed every N days is enabled to expire passwords.

    • Both target systems and Bravura Security Fabric database.

      For example, Configure Bravura Pass password policy to expire passwords every 80 days and – if required – adjust password policy on integrated systems to expire passwords every 90 days. This way, Bravura Pass passwords will expire first and users will never see the expiry warnings from individual systems and applications.

      Alternately, if feasible, set Bravura Pass password expiry to 90 days and modify expiry on all integrated systems to 100 days. This allows a typical organization to retain a 90 day expiry period overall, but involves a bit more change control on existing systems.

  2. How do you want to notify users?

    You can configure Bravura Security Fabric to:

    • Automatically open a browser at the Bravura Security Fabric web site when a user first logs in.

    • Send all users whose passwords are about to expire a batch email.

    • Take some other action.

    If password expiry is enabled on users’ primary login operating system – for example, Active Directory – it is recommended that you do not configure Bravura Security Fabric to notify users whose password has already expired. This could lead to a situation where a user logs in and receives an expiry notification from the operating system, then changes his password using the operating system’s native method. Once logged in, the user would receive a Bravura Security Fabric notification to change a password he’s already changed. It is also recommended that transparent password synchronization is implemented in this case.

    Best practice

    Configure Bravura Pass to monitor upcoming password expiry on all systems. At a minimum, send email reminders to users asking them to change their soon-to-expire password. Include a link to the Bravura Pass URL in these emails.

    Password expiry emails should be sent to users 10, 5, 3, 2 and 1 days before the current password expires.

In this section: