Setting password policy rules involves specifying criteria for your password policy, for example, the minimum and maximum length of passwords.
You can use either or both of the following methods to set password restrictions:
Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.
In the Password File field, enter the directory path and name of the password policy file (for example, c:\Xellerate\userlimits.txt). This file contains predefined words that you do not want to be used as passwords. The delimiter specified in the File Delimiter field separates these words. The predefined words in the file cannot be used as passwords. For example, if the file contains the word welcome, then welcome, Welcome, and welcome123 are invalid passwords.
To set the rules for a password policy:
In the Password Policy page, search and select the password policy that you want to open.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The password policy details page is displayed.
|
Note: You can also set the password policy rules at the time of creating the password policy. |
In the Policy Rules tab, enter values in the fields, as listed in Table 19-1:
|
Note: If a data field of the policy is empty, a password conforming to this policy does not have to meet the criteria of that field for the password to be valid. For example, when the Minimum Numeric Characters field is blank, Oracle Identity Manager will accept a password, regardless of the number of characters included in it. |
Table 19-1 Fields in the Policy Rules Section
| Field Name | Description |
|---|---|
|
Minimum Length |
The minimum number of characters that a password must contain for the password to be valid. For example, if you enter 4 in the Minimum Length field, then the password must contain at least four characters. This field accepts values from 0 to 999. |
|
Minimum Password Age (Days) |
The minimum duration in days for which users can use a password. For example, if you enter 2 in the Minimum Password Age (Days) field, then the user cannot change the password before 2 days of creating the password. The value of this field must be less than the value of the Expires After (Days) field. For example, if you enter 30 in the Expires After (Days) field and 31 in the Minimum Password Age (Days) field, then an error is displayed. |
|
Warn After (Days) |
The number of days that must pass before a user is notified that the user's password will expire on a designated date. For example, you enter 30 in the Expires After (Days) field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1. This field accepts values from 0 to 999. |
|
Disallow Past Passwords |
The frequency at which old passwords can be reused. This policy ensures that users do not change back and forth among a set of common passwords. For example, if you enter 10 in the Disallow Past Passwords field, then users are allowed to reuse a password only after using 10 unique passwords. This field accepts values from 0 to 24. |
|
Expires After (Days) |
The maximum duration in days for which users can use a password. For example, if you enter 30 in the Expires After Days field, then users must change their passwords by the thirtieth day from when it was created or last modified. This field accepts values from 0 to 999. Note: After the number of days specified in the Expires After Days field passes, a message is displayed asking the user to change the password. |
You can configure either a default complex password policy or a custom password policy. If you select the Complex Password option, then you cannot use the Custom Policy option setup, and passwords will be evaluated against the complex password criteria.
Complex Password: Selecting this option sets the following complex password criteria:
The password is at least six characters long.
The password contains characters from at least three of the following five categories:
- English Uppercase Characters (A - Z)
- English Lowercase Characters (a - z)
- Base 10 digits (0 - 9)
- Non-alphanumeric characters (for example: !, $, #, or ^)
- Unicode characters
The password does not contain any of User ID, first name, or last name when their length is larger than 2.
The names are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, then the names are split and all sections are verified not to be included in the password. For example, if the user name is john-d, then d will not be checked in the password because its length is less than 2. Similarly, if the name is John Richard Doe, then the password cannot contain john, richard, or doe.
When checking against the user's full name, characters such as commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs are treated as delimiters that separate the name into individual character sets. Each character set that has three or more characters is searched in the password. If the character set is present in the password, the password change is rejected. For example, the name John Richard-Doe is split into three character sets: John, Richard, and Doe. This user cannot have a password that consists of three continuous characters from either John or Richard or Doe anywhere in the password. However, the password can contain the substring d-D because the hyphen (-) is treated as the delimiter between the substrings Richard and Doe. In addition, the search for character sets in the password is not case-sensitive.
|
Note: If the user's full name is less than three characters in length, the password is not checked against it because the rate at which passwords will be rejected is too high. |
Custom Policy: If you select the Custom Policy option, you can set a custom password policy by using the fields listed in Table 19-2.
Table 19-2 Fields in Custom Policy Section
| Field Name | Description |
|---|---|
|
Maximum Length |
The maximum number of characters that a password can contain. For example, if you enter 8 in the Maximum Length field, then a password is not accepted if it has more than eight characters. This field accepts values from 1 to 999. |
|
Maximum Repeated Characters |
The maximum number of times a character can be repeated in a password. For example, if you enter 2 in the Maximum Repeated Characters field, then a password is not accepted if any character is repeated more than two times. For example, RL112211 would not be a valid password because the character Note: In this example, there are four occurrences of the character This field accepts values from 1 to 999. |
|
Minimum Numeric Characters |
The minimum number of digits that a password must contain. For example, if you enter 1 in the Minimum Numeric Characters field, then a password must contain at least one digit. This field accepts values from 0 to 999. |
|
Minimum Alphanumeric Characters |
The minimum number of letters or digits that a password must contain. For example, if you enter 6 in the Minimum Alphanumeric Characters field, then a password must contain at least six letters or numbers. This field accepts values from 0 to 999. |
|
Minimum Unique Characters |
The minimum number of nonrepeating characters that a password must contain. For example, if you enter 1 in the Minimum Unique Characters field, then a password is accepted if at least one character in the password is not repeated. For example, 1a23321 would be a valid password because the character This field accepts values from 0 to 999. |
|
Minimum Alphabet Characters |
The minimum number of letters that a password must contain. For example, if you enter 2 in the Minimum Alphabet Characters field, then the password is not accepted if it has less than two letters. This field accepts values from 0 to 999. |
|
Minimum Uppercase Characters |
The minimum number of uppercase letters that a password must contain. For example, if you enter 8 in the Uppercase Characters: Minimum field, then a password is not accepted if it contains less than eight uppercase letters. This field accepts values from 0 to 999. |
|
Minimum Lowercase Characters |
The minimum number of lowercase letters that a password must contain. For example, if you enter 8 in the Minimum Lowercase Characters field, then a password is not accepted if it has less than eight lowercase letters. This field accepts values from 0 to 999. |
|
Special Characters: Min |
The minimum number of special characters that a password must contain. For example, if you enter 2 in the Special Characters: Min field, then the password is not accepted if it has less than two special characters. The field accepts values from 0 to 999. |
|
Special Characters: Max |
The maximum number of special characters that a password can contain. For example, if you enter 5 in the Special Characters: Max field, then a password is not accepted if it has more than five special characters. This field accepts values from 1 to 999. |
|
Unicode Characters: Min |
The minimum number of Unicode characters that a password must contain. For example, if you enter 3 in the Unicode Characters: Minimum field, then the password is not accepted if it has less than three Unicode characters. This field accepts values from 0 to 999. |
|
Unicode Characters: Max |
The maximum number of Unicode characters that a password can contain. For example, if you enter 8 in the Unicode Characters: Maximum field, then a password is not accepted if it has more than eight Unicode characters. This field accepts values from 1 to 999. |
|
Password File |
The path and name of a file that contains predefined terms, which are not allowed as passwords. The file must be stored on the same host on which Oracle Identity Manager is deployed. Note: The settings on the Policy Rules tab get precedence over the specifications in the password file. For example, a disallowed term of the password file is used in the policy when no disallowed term is specified in the Policy Rules tab. |
|
File Delimiter |
The delimiter character used to separate terms in the password file. For example, if a comma (,) is entered in the Password File Delimiter field, then the terms in the password file will be separated by commas. Note: There are no escape characters defined to be used in password policies. |
|
Characters Required |
The characters that a password must contain. For example, if you enter x in the Characters Required field, then a password is accepted only if it contains the character x. The character you specify in the Characters Required field, must be mentioned in the Characters Allowed field. If you enter a character in the Characters Required field that is not mentioned in the Characters Allowed field, then an error is displayed stating that the required characters must be in the list of allowed characters, and required characters must not be in the list of not allowed characters. In addition, if you specify more than one character, then do not provide delimiters. Commas and white spaces are also considered as characters in this field. For example, if you specify characters such as a,x,c, then the password is not accepted unless it contains comma. Note: Characters specified and case-sensitive. |
|
Characters Allowed |
The characters that a password can contain. For example, if you enter the percent sign (%) in the Characters Allowed field, then a password is accepted if it contains a percent sign, given that all other criteria are met. Note: If any character is used in the password and that character is not in the Characters Allowed field, then the password will be rejected. For example, if the Characters Allowed field has "abc" and the password is "dad", then the password is rejected because "d" is not in the Characters Allowed field. If you specify the same character in the Characters Allowed and Characters Not Allowed fields, then an error message is returned when you create the password policy. Note: Characters specified and case-sensitive. |
|
Characters Not Allowed |
The characters that a password must not contain. For example, if you enter an exclamation point (!) in the Characters Not Allowed field, then a password is not accepted if it contains an exclamation point. Note: Characters specified and case-sensitive. |
|
Substrings Not Allowed |
A series of consecutive alphanumeric characters that a password must not contain. For example, if you enter oracle in the Substrings Not Allowed field, then a password is not accepted if it contains the letters o, r, a, c, l, and e, in successive order. |
|
Maximum Incorrect Login attempts counter |
The maximum number of incorrect login attempt is allowed for a user. After the maximum number of attempts is failed, user is locked. You can set if the user is locked permanently or for a time duration. When a value is entered in this field it enables Permanent Lockout and Lock Duration. |
|
Permanent Lockout |
If an user exceeds maximum incorrect login attempt, then the user can be permanently lockout. To enabled this select this check box. If this option is enabled then you will not be allowed to set Lock Duration time. Note: Only Admin can unlock the user if this option is enabled. |
|
Lock Duration |
If an user exceeds maximum incorrect login attempt, then the user can be locked for a certain period of time. The duration for which the user is locked is set in minutes. For example, if lock duration is set to 5 minutes, user will get unlocked after 5 minutes of the user being locked. If Permanent Lockout is enabled then this field is not applicable. |
|
Start with Alphabet |
Whether or not the password must begin with a letter. For example, if you select this option, then the password 123welcome is not accepted because the password does not begin with a letter. However, if you do not select this option, then the password can begin with a letter, numeric digit, or special character. |
|
Disallow First Name |
This check box specifies if the user's first name will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user's first name is entered in the Password field. In addition, the password is not valid is the first name is entered as a part of the password. If you deselect this check box, then the password will be accepted, even if it contains the user's first name. |
|
Disallow User ID |
This check box specifies if the user ID will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user ID is entered in the Password field. In addition, the password is not valid if the user ID occurs as a part of the password specified in the Password field. If you deselect this check box, the password will be accepted, even if it contains the user ID. |
|
Disallow Last Name |
This check box specifies if the user's last name will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user's last name is entered in the Password field. In addition, the password is not valid is the last name is entered as a part of the password. If you deselect this check box, then the password is accepted, even if it contains the user's last name. |
Click Apply to save the password policy.
|
Note: After creating a password policy, you must associate the policy with an organization. The rules of the policy will be applied for the users of that organization and its suborganizations. For information see, "Evaluating Password Policies". |