Password policy
Configure a password policy when you want a customized rule for creating valid sign-in passwords. The password policy applies to end users who sign in to your registered apps within a realm.
|
You can configure only one password policy per realm. |
By default, Identity Cloud password policy is set to the minimum security requirements established by the National Institute of Standards and Technology (NIST). Any changes you make to the password policy must conform to requirements contained in their guidelines. Refer to NIST Digital Identity Guidelines.
Configure a password policy
-
In the Identity Cloud admin UI, go to Security > Password Policy.
-
Choose the realm the password policy will apply to.
-
Edit password policy details.
Password length
When enabled, the policy requires a password with the specified minimum number of characters. No maximum.
Cannot include
Options to restrict the use of any of the following in the policy:
-
More than two consecutive characters (Example: aaaaaa)
-
Commonly-used passwords (Examples: qwerty or 12345678)
-
Values in certain user attributes. From the drop-down list, specify user attributes that cannot be used.
Must contain
When enabled, the policy requires the use of a specified 1–4 of the following:
-
Upper case letter
-
Lower case letter
-
Number
-
Space, pipe, or special character:
( ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { } ~ ) .
Cannot reuse
When enabled, the policy restricts the end user from reusing the specified number of previously set passwords.
Force password change
When enabled, the policy forcibly expires each end-user password after the specified number of days, months, or years have elapsed from when the password was set.
To handle expired passwords in an end-user journey, use theExpiredoutcome in the Identity Store Decision node.Refer to the considerations in Force end-user password changes before using this policy setting. -
-
Click Save.
Force end-user password changes
You can combine a password policy and the Identity Store Decision node to expire end-user passwords in a journey; the Force password change policy setting lets you define an expiry time interval, which is measured for each end user from when their password was last set.
If you are introducing such a policy for the first time, you may want to process your end users in batches in order to improve messaging about the changes. The following sections describe two high-level strategies to achieve this.
|
If you are considering forcing your end users to change their passwords, review the NIST Digital Identity Guidelines. In particular, NIST no longer recommends scheduled password changes; refer to Usability Considerations by Authenticator Type. The NIST guidelines are continually refined, so you should keep them in mind when setting password policy. |
Strategy 1: Target segments of end users
Adapt the end-user login journey to use dynamic groups or user properties to target a segment of end users to reset their password.
Advantage: You can segment users any way you like. For example, you may have a set of end users who could struggle with a password reset. You could add a property to each end user in the set and initially exclude end users with that property from a password reset. Then, at a later time, remove the exclusion when support is available for those end users.
Disadvantage: Creating new dynamic groups with large numbers of end users can incur a significant performance cost.
Strategy 2: Target oldest passwords first
Adapt the end-user login journey to target all end users to reset their password, but initially set a very long expiry time interval to target the oldest passwords first. Then periodically reduce the expiry time interval to eventually target all passwords.
Advantage: This strategy segments end users by the date of their last password reset. Additionally, end users with the oldest passwords are targeted first.