Skip to main content

Example: Detect soon-to-expire passwords

This example shows you how to configure Bravura Security Fabric to detect password expiry on an Active Directory target system.

If both target password expiry and Bravura Security Fabric password history are in effect, the earliest expiry time is used.

Requirements

This example assumes that:

  • Bravura Security Fabric and Connector Pack installed.

  • An Active Directory target system is added as a source of profiles.

Click below to view a demonstration including the following steps:

  • Setting the superuser account password to never expire.

  • Configuring Bravura Pass to detect when passwords expire on an Active Directory target system using target system settings.

  • Configuring password expiry detection on Bravura Pass profiles using product password policy settings.

Use target system policy to record expiry

To use the target system policy:

  1. Log in to Bravura Security Fabric as superuser.

  2. Click Manage the system > Resources > Target systems > Manually defined.

  3. Select the Active Directory target system.

  4. Ensure that the Check password expiry box is selected.

For each target system with the Check password expiry setting enabled, Bravura Security Fabric records the password expiration date/time, and the last password change, during auto discovery.

Set Bravura Pass password policy to use history rules

Configure password expiry policy based on the last time users changed their password using Bravura Security Fabric .

A particularly useful strength rule, not be an old password prevents or warns users against reusing old passwords. This ensures that if a user’s password was divulged in the past, it will not constitute a threat in the future. See Prevent users from re-using old passwords.

To set rules for password history:

  1. Log in to Bravura Security Fabric as superuser.

  2. Click Manage the system > Policies > Password policies .

  3. Select the DEFAULT policy.

  4. Click the Password policy tab for the default password policy.

  5. Set not be an old password to "Required".

  6. Set password must be changed every N days to "Enabled" and type 42.

    This value match the default Active Directory password expiry setting (see the note below).

  7. Set allow reuse of old passwords after N days to "Enabled" and type 420.

    This value matches the default Active Directory setting.

  8. Click Update.

See also

In this section: