Editing password strength rules
You can edit the system password strength policy enforced by Bravura Security Fabric to include or exclude certain rules, and change values on some rules.
To edit a password strength policy enforced by Bravura Security Fabric :
Click Manage the system > Policies > Password policies .
or
Click Manage the system > Privileged access > Managed system policies. .
Select the policy that you want to edit.
Click the Password policy tab.
Select an appropriate status from the drop-down list next to each rule.
If applicable, type a value in the text field next to each enabled rule.
Depending on the rule some status may not apply. The available status include:
Required The rule is enabled, and is strictly enforced.
If a password supplied by a user does not satisfy the rule, Bravura Security Fabric rejects it.
Warning The rule is enabled, but is not enforced.
If a password supplied by a user does not satisfy the rule, Bravura Security Fabric warns that the password is weak, but still accepts it.
The built-in random password generator only generates passwords that satisfy the rule.
Disabled The rule is not applied to new passwords.
Enabled The rule is applied to new passwords.
This status is available where enforcement does not apply.
See Table 1, “Password strength rules” below for definitions of the password strength rules supplied with Bravura Security Fabric .
Select Hide description if you want to hide the rule from users in the web interface. If their chosen password violates the rule, an error message detailing the rule will be displayed.
You can create a custom message to add to or replace the displayed rules.
Click Update.
Rule name | Type | Description |
|---|---|---|
have at least N characters | Req | The smallest number of characters that a legal password must have. |
have at most N characters | Req / Warn | The largest number of characters that a legal password can have. |
include both uppercase and lowercase characters | Req / Warn | Enable if passwords should have both uppercase and lowercase characters. |
have at least N lowercase letters | Req / Warn | The smallest number of lowercase letters that a legal password can contain. |
have at most N lowercase letters | Req / Warn | The largest number of lowercase letters that a legal password can contain. |
have at least N uppercase letters | Req / Warn | The smallest number of uppercase letters that a legal password can contain. |
have at most N uppercase letters | Req / Warn | The largest number of uppercase letters that a legal password can contain. |
have at least N special characters (not letters or digits) | Req / Warn | The smallest number of non-alphanumeric characters that a legal password must contain. Spaces are treated as non-alphanumeric characters. Leading and trailing spaces are trimmed in Bravura Security Fabric . |
Have at most N special characters (not letters or digits) | Req / Warn | The largest number of non-alphanumeric characters that a legal password can contain. Spaces are treated as non-alphanumeric characters. Leading and trailing spaces are trimmed in Bravura Security Fabric . |
have at least N special characters (not letters or digits) not at the beginning and end | Req / Warn | Same as minimum non-alphanumeric characters, but not counting the first or last character of the password. Spaces are treated as non-alphanumeric characters. Leading and trailing spaces are trimmed in Bravura Security Fabric . |
have at least N letters | Req / Warn | The smallest number of letters that a password must contain. |
begin with a letter | Req / Warn | Enable to require all passwords to start with a letter. Useful for compatibility with some systems. |
have at least N digits | Req / Warn | The smallest number of digits that a legal password must contain. |
have at least N digits not at the beginning and end | Req / Warn | Same as minimum digits, but not counting the first or last character of the password. |
have up to 8 characters, only @,#,$ special characters allowed (mainframe compatible) | Req / Warn | Intended for mainframe compatibility (can have up to 8 chars; alpha/num or @$#). |
have password rules apply to the first N characters | Disabled / Enabled | This forces the first N characters of the password to comply with the password rules, and only the first N characters are used to validate the password. The number of characters must be set. |
not be a dictionary word | Req / Warn | The password, stripped of non-letter characters, may not match a word (consisting of two or more letters) from the dictionary . For example, the passwords word123 and pa9sswor*d are not valid. The dictionary search is case-insensitive. |
not be an exact dictionary word match (e.g. word) | Req / Warn | A password may not exactly match a dictionary word consisting of four or more letters. For example, the passwords w1o2r3d or word123 are valid. The password word is not valid. The dictionary search is case-insensitive. |
not contain an exact dictionary word match (e.g. xyzword123) | Req / Warn | A password may not contain a dictionary word. For example, the password xyzword123 is not valid. The dictionary search is case-insensitive. |
not contain a dictionary word (e.g. xyzw1o2r3d) | Req / Warn | A password, stripped of non-letter characters, may not contain a dictionary word. For example, the password xyzw1o2r3d is not valid. The dictionary search is case-insensitive. |
not be a dictionary word rearranged (e.g. rdow123) | Req / Warn | A password, stripped of non-letter characters, may not be a dictionary word rearranged. For example, the password w1o2r3d4xyz is valid. The password rdow123 is not valid. |
not be the profile ID or name | Req / Warn | The user’s profile ID or name may not be used as the new password. This applies to both the full name and each word in the name. |
not be the profile ID or name reversed | Req / Warn | Same as above but with the letters in the name reversed. This applies to both the full name and each word in the name. |
not contain the profile ID or name | Req / Warn | The user’s profile ID or name may not form part of the new password. This applies to both the full name and each word in the name. |
not contain the profile ID or name reversed | Req / Warn | Same as above but with the letters in the name reversed. |
not be the profile ID or name rearranged | Req / Warn | Same as above but with the letters in the name rearranged in any way. This applies to both the full name and each word in the name. |
not contain rearranged profile ID or name | Req / Warn | The password cannot contain the user’s profile ID or name rearranged in any permutation and mixed with any number of other characters, numbers, or special characters. This is a more restrictive form than “Not a rearranged user name?”. It applies to both the full name and each word in the name. The length checked against the full name and each word in the name is decided by the MIN DICTWORD LENGTH setting in the Manage the system > Policies > Options menu. , and the punctuation marks like ’.’ are also stripped For example, with user name = Bob Jones, profile ID = JonesB the following passwords will be rejected:
|
not begin with the first N characters of the profile ID or name | Req / Warn | The new password may not contain the specified number of characters that begin the profile ID name. |
require the password to be approved by this plugin | Disabled / Enabled | An external program is called to verify that a password is acceptable. See Rewriting target system operations for details. |
generate random passwords using this plugin | Disabled / Enabled | Specify a plugin to generate random passwords instead of the built-in password generator. Used with Offer the user N random passwords . |
warn if the password is not approved by this plugin | Disabled / Enabled | A warning will be generated if the password does not pass the password policy of the specified plugin. |
have at most N pairs of repeating characters | Req / Warn | The maximum number of pairs of the same character appearing consecutively in new, legal password values. The total possible pairs are counted in a sequence; for example, annno includes two pairs of ’n’s (the first two and the last two), and annnno includes three pairs; however, Uuno contains zero pairs, since upper and lower case letters are treated as different. |
be one of the N suggested passwords | Req / Warn | Display some randomly-selected passwords that the user may choose as a new password value. If disabled, no suggested passwords will be displayed. It is strongly recommended that this rule is set to ’Warning’. This should only be set to ’Required’ in cases where corporate policy disallows non-computer-generated passwords. Setting this rule to ’Required’ is not compatible with transparent password synchronization. See Transparent synchronization and generated passwords for details. |
contain only characters available on a standard English (US) keyboard | Req / Warn | The password is rejected or a warning is issued if the password contains non-printable ascii characters. Non-printable ascii characters can create problems with character encoding translation. The Password policy rules web form provides a link to a page that lists valid characters. |
not have N occurrences of the same character | Req / Warn | The password is rejected or a warning is issued if it contains any character occurring N times. N must be data-filled. |
not be an old password | Req / Warn | New passwords may not be the same as old passwords for the selected targets. |
allow old passwords after N days | Disabled / Enabled | Change the history rule, so that new passwords can be the same as old ones (in the history file), if they are over N days old. Ensure that this value is greater than the value of password must be changed every N days, if set. See Prevent users from re-using old passwords for more information. |
password must be changed every N days | Disabled / Enabled | Prompt the user to change passwords every N days. Ensure this value is less than the value for allow old passwords after N days , if set. |
not be one of last N passwords | Req / Warn | New passwords may not be the same as one of the last N passwords. |
be different by at least N characters from the previous password | Req / Warn | The password is rejected or a warning is issued if the password does not contain N characters that do not already exist in the previous password. |
not have been changed by you in the last N hours | Req / Warn | The password is rejected or a warning is issued if the password was changed in the last N hours. |
current password may be reused for password resets for N days after its first use | Disabled / Enabled | Allow password reuse within limited days when used in conjunction with not be an old password . |