Generate strong Password Format Control Policies

Enterprise Access Management Tutorial - Configure Password Format Control Policies

Learn how to configure new Password Format Control Policies (PFCP) on the  EAM console in a few clicks .

The Password Format Control Policies define the number of characters, the minimum and maximum lengths and the types of characters required to provide a valid password when authenticating on an application.

Managing Password Format Control Policies

Before starting:

To perform the tasks described, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration right: "Password format control policy: Creation/Modification".

Creating Password Format Control Policies

In the tree structure of the Directory panel, right-click the organizational unit that must contain your PFCP and select NewPassword Control Policy.

  • The PFCP configuration tab appears.

Configuring Password Format Control Policy

  • To perform this task, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "Password format control policy: Creation/Modification".

Procedure

  1. Type the PFCP name.
  2. In the Password Format area, set the minimum and the maximum number of characters, the maximum number of the same character allowed in password and specify if you want to allow or prevent the use of successive occurrences of the same character.

Advanced Policies

Click the Advanced Policy button to add forbidden character sequences:

Select the following check boxes:

New and current passwords can't have the same characters at the same position to force the order modification of the characters. Example: if this check box is selected and the old password was apricot, then the new password cannot be apple but parrot for example.

This option is case sensitive to authorize or forbid upper case or lower case letters to be considered as identical letters in the password. Example: If the check box is not selected, then a=A.

Password cannot contain the user's login or display name to prevent the user from using his name or login (sAMAccountName) to create his password. This restriction applies to names longer than 3 characters. Example: the password of John Fab Smith can neither contain John nor Smith but can contain Fab.
This option is available only with Microsoft directories.

Advanced policy config

Use the Add and Remove buttons to manage the forbidden character sequences, such as QWERTY or 12345.

  1. In the Allowed characters area, set the number of lower case and upper case letters, digits, special characters and the list of these special characters allowed in passwords and their position.
    The Special character list field enables you to specify which of these characters must appear in the password.
    You can also force the use of 3 categories of characters out of the 4 available.
  2. In the Forbidden characters area, create a list of forbidden characters.
  3. Click the Test password generation button to check if the generated passwords correspond to your requirements.