Skip to main content

Password expiry detection

Bravura Security Fabric can detect when users’ passwords are about to expire on some target systems. It can also keep track of when their passwords will expire based on the last time the passwords were changed and Bravura Security Fabric password policies. Based on these criteria, Bravura Security Fabric can determine that it is time for users to change their passwords.

Note

If both the target system Check password expiry and Bravura Security Fabric password policy rule for password must be changed every N days are in effect, the earliest expiry time is used.

Bravura Security Fabric informs users of the upcoming expiry, and asks them to change all their passwords using Bravura Security Fabric , rather than changing individual passwords on the target systems as they expire. Bravura Security Fabric notifies users either by email, or by opening the user’s browser to an informative page during network login.

Initial considerations

To determine the best solution for expiry notification, answer the following questions:

  1. Where is the expiry information coming from?

    You can gather a list of soon-to-expire users from:

    • One or more target systems

      In most environments, password aging is already implemented on one or more target systems. Using target systems as the source means that users’ scheduled will not be interrupted.

    • The Bravura Security Fabric database

      The Bravura Security Fabric password policy rule for password must be changed every N days is enabled to expire passwords.

    • Both target systems and Bravura Security Fabric database.

      For example, Configure Bravura Pass password policy to expire passwords every 80 days and – if required – adjust password policy on integrated systems to expire passwords every 90 days. This way, Bravura Pass passwords will expire first and users will never see the expiry warnings from individual systems and applications.

      Alternately, if feasible, set Bravura Pass password expiry to 90 days and modify expiry on all integrated systems to 100 days. This allows a typical organization to retain a 90 day expiry period overall, but involves a bit more change control on existing systems.

  2. How do you want to notify users?

    You can configure Bravura Security Fabric to:

    • Automatically open a browser at the Bravura Security Fabric web site when a user first logs in.

    • Send all users whose passwords are about to expire a batch email.

    • Take some other action.

    If password expiry is enabled on users’ primary login operating system – for example, Active Directory – it is recommended that you do not configure Bravura Security Fabric to notify users whose password has already expired. This could lead to a situation where a user logs in and receives an expiry notification from the operating system, then changes his password using the operating system’s native method. Once logged in, the user would receive a Bravura Security Fabric notification to change a password he’s already changed. It is also recommended that transparent password synchronization is implemented in this case.

    Best practice

    Configure Bravura Pass to monitor upcoming password expiry on all systems. At a minimum, send email reminders to users asking them to change their soon-to-expire password. Include a link to the Bravura Pass URL in these emails.

    Password expiry emails should be sent to users 10, 5, 3, 2 and 1 days before the current password expires.

Detecting target system password expiry

  1. Click Manage the System > Resources > Target systems .

  2. Select select-icon.png the target system from which you want to get the expiry information.

  3. Ensure that the Check password expiry box is selected.

  4. Repeat for each target system to be considered for expiry.

For each target system with the Check password expiry setting enabled, Bravura Security Fabric records the password expiration date/time, and the last password change, during auto discovery.

See also

See Target systems for more information about configuring target systems.

Detecting password expiry based on Bravura Security Fabric password policy

To check soon-to-expire passwords based on the last time users changed their password, set up password strength rules to add users’ password history to the Bravura Security Fabric database and establish a password expiry interval:

  1. Click Manage the system > Policies > Password policies .

  2. Select select-icon.png the policy you want to update.

  3. Select the Password policy tab.

  4. Set the Not be an old password rule to required, if you want to prevent users from selecting a previously used password.

  5. Enable the password must be changed every N days rule and set the value to the desired password expiry interval.

  6. Click Update.

Example: Detect soon-to-expire passwords

This example shows you how to configure Bravura Security Fabric to detect password expiry on an Active Directory target system.

If both target password expiry and Bravura Security Fabric password history are in effect, the earliest expiry time is used.

Requirements

This example assumes that:

  • Bravura Security Fabric and Connector Pack installed.

  • An Active Directory target system is added as a source of profiles.

Click below to view a demonstration including the following steps:

  • Setting the superuser account password to never expire.

  • Configuring Bravura Pass to detect when passwords expire on an Active Directory target system using target system settings.

  • Configuring password expiry detection on Bravura Pass profiles using product password policy settings.

Use target system policy to record expiry

To use the target system policy:

  1. Log in to Bravura Security Fabric as superuser.

  2. Click Manage the system > Resources > Target systems > Manually defined.

  3. Select the Active Directory target system.

  4. Ensure that the Check password expiry box is selected.

For each target system with the Check password expiry setting enabled, Bravura Security Fabric records the password expiration date/time, and the last password change, during auto discovery.

Set Bravura Pass password policy to use history rules

Configure password expiry policy based on the last time users changed their password using Bravura Security Fabric .

A particularly useful strength rule, not be an old password prevents or warns users against reusing old passwords. This ensures that if a user’s password was divulged in the past, it will not constitute a threat in the future. See Prevent users from re-using old passwords.

To set rules for password history:

  1. Log in to Bravura Security Fabric as superuser.

  2. Click Manage the system > Policies > Password policies .

  3. Select the DEFAULT policy.

  4. Click the Password policy tab for the default password policy.

  5. Set not be an old password to "Required".

  6. Set password must be changed every N days to "Enabled" and type 42.

    This value match the default Active Directory password expiry setting (see the note below).

  7. Set allow reuse of old passwords after N days to "Enabled" and type 420.

    This value matches the default Active Directory setting.

  8. Click Update.

See also

In this section: