Skip to main content

Global (default) password policy

A global password policy provides the most clear and understandable experience to users.

Essentially, a global password policy strikes a bargain with users – only one password to remember, and they can easily change it without calling the help desk; in exchange the password will be more complex and they will have to change it more often.

When Bravura Security Fabric is configured to enforce a global password policy, it will never accept or attempt to propagate a password unless it meets the strength rules set in the policy. By combining the requirements from each system affected by a global policy, Bravura Security Fabric forces users to select passwords that are accepted on every system. For instance, in the case of an organization where users may enter very long passwords on Active Directory but only 8 characters on an OS/390 mainframe, Bravura Security Fabric can require that passwords be 8 characters long, at most. Alternatively, Bravura Security Fabric can support longer passwords, but truncate them when it updates the mainframe. Users generally prefer the maximum length rule, as it is easier to understand than automatic truncation.

In general, systems enforce one of three types of password rules:

  • Complexity requirements ensure that users do not select easily-guessed passwords. Example rules are: disallowing any permutation of the user’s login ID, password history, requiring mixed letters and digits, forbidding dictionary words, etc.

  • Representational constraints limit what can be physically stored in a password field on a given system. Usually there are just two such rules: maximum length and allowable character set.

  • Historical constraints. Examples include max and min password age, number of passwords or days after which repetitions are allowed

The alternative, of defining different password policies for every target system or for groups of target systems, is user-unfriendly. To update their passwords, users must select a system, choose a password, wait for the password update to complete, possibly re-authenticate, choose another system, choose a different password, and so on. Users must then remember multiple passwords and will continue to experience many password problems. It has been shown that users with many passwords have a strong tendency to write down their passwords.

The default global password policy uses some heuristics to make passwords "easy-to-pronounce, easier to remember". This is particularly helpful to users in an implementation of Bravura Pass ; however in an implementation of Bravura Privilege , where a higher degree of randomness is required, additional strength rules are recommended. See Privileged access password policy for more.

In this section: