Password policy
Overview
Configure a password policy when you want a customized rule for creating valid sign-in passwords. The password policy applies to end users who sign in to your registered apps within a realm.
You can configure only one password policy per realm. |
By default, Identity Cloud password policy is set to the minimum security requirements established by the National Institute of Standards and Technology (NIST). Any changes you make to the password policy must conform to requirements contained in their guidelines. See Digital Identity Guidelines.
Configure a password policy
-
In the Identity Cloud admin UI, go to Security > Password Policy.
-
Choose the realm the password policy will apply to.
-
Edit password policy details.
Password length
When enabled, the policy requires a password with the specified minimum number of characters. No maximum.
Cannot include
Options to restrict the use of any of the following in the policy:
-
More than two consecutive characters (Example: aaaaaa)
-
Commonly-used passwords (Examples: qwerty or 12345678)
-
Values in certain user attributes. From the drop-down list, specify user attributes that cannot be used.
Must contain
When enabled, the policy requires the use of a specified 1–4 of the following:
-
Upper case letter
-
Lower case letter
-
Number
-
Space, pipe, or special character:
( ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { } ~ ) .
Cannot reuse
When enabled, the policy restricts the end user from reusing the specified number of previously set passwords.
Force password change
When enabled, the policy forcibly expires each end-user password after the specified number of days, months, or years have elapsed from when the password was set.
To handle expired passwords in an end-user journey, use theExpired
outcome in the Identity Store Decision node. -
-
Click Save.