• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Security, Governance and Regulatory Compliance
  • Reduce IT Support Cost
  • Improve User Service
• Support
  • Shipping products
  • Supported versions
  • Customer Portal
  • Create Incident
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Features Password Policy Enforcement

  

Common
Criteria
Certification

Password Policy Enforcement

When users select a new password with Hitachi ID Password Manager (formerly P-Synch) -- either using the web GUI or by changing their password natively on a system that has been configured to trigger transparent synchronization, Password Manager applies a site-defined set of password quality rules. Users are not allowed to select passwords that violate this policy.

The policy engine supports over 50 types of rules, including an unlimited-length history, word and permutation checks against various dictionaries and checks against the user ID and its permutations. Regular expression matching is also supported so that Hitachi ID Systems customer can define its own rules if they are not supported in Password Manager.

With the web GUI, password policy rules are displayed to the user on the screen where users are prompted to select a new password. Rule violations, if any, are detailed on the subsequent screen.

With transparent synchronization, password policy rules are not generally displayed, in order to leave the native password change mechanism untouched. Password policy violations are communicated to the user with various mechanisms, including win-popup messages, e-mail and display to the user's terminal session on Unix and z/OS systems.

Learn more about the password strength rules that Password Manager can enforce.

A Global Policy

Password Manager is normally configured to support a single, global password policy, to ensure that all new passwords will be acceptable to every system. This provides the most clear and understandable experience to users. Password Manager is configured such that it will never accept or attempt to propagate a password that will not meet this global password policy.

For instance, in the case of an organization that has both Windows Active Directory (AD) and z/OS passwords, where users may enter very long passwords on AD but only 8 characters on the mainframe, Password Manager can require that passwords be exactly 8 characters long. Alternately, Password Manager can support longer passwords, but truncate them when it updates the mainframe. (Users generally prefer the preset length rule, as it is easier to understand than automatic truncation).

In general, systems enforce one of two types of password rules:

• Complexity requirements ensure that users do not select easily-guessed passwords. Example rules are: disallowing any permutation of the user's login ID, password history, requiring mixed letters and digits, forbidding dictionary words, etc.

• Representational constraints limit what can be physically stored in a password field on a given system. Usually there are just two such rules: maximum length and allowable character set.

A global password policy is normally created by combining and strengthening the best-of-breed complexity requirements from each system affected by the policy. Password Manager then combines these with the most restrictive representational constraints. This forces users to select strong, secure passwords on every system.

The alternative, of defining different password policies for every target system or for groups of target systems, is considered to be user-unfriendly. To update their passwords, users must select a system, choose a password, wait for the password update to complete, possibly re-authenticate, choose another system, choose a different password, etc. Users must then remember multiple passwords and will continue to experience many password problems. It has been shown that users with many passwords have a strong tendency to write down their passwords.

Support for Incompatible Policies

Normally, it is desirable to have a single, global password policy. This makes the user experience much simpler and encourages high user adoption.

In some cases, it is impossible to formulate a single, consistent password policy that works across two different systems. Typically this happens when one system requires strong security and complex passwords, while another system simply cannot support complex passwords.

Examples of weak systems include legacy applications that use very short passwords or numeric PINs, voice mail passwords, etc.

Systems with a moderate password complexity capability typically include mainframes and database servers.

Systems with a strong password complexity capability typically include Novell NetWare, Windows Active Directory, LDAP directories and modern implementations of Unix.

If some systems have mutually exclusive password complexity capabilities, they can be grouped into mutually-compatible sets, and each set of systems is configured in its own Password Manager target group. Note that multiple Password Manager target groups can co-exist on a single Password Manager instance and do not require separate maintenance. Configuration is just a few minutes.

Each Password Manager target group can support its own set of password policies, as well as policies regarding transparent password synchronization.

When users choose to change their passwords, they must first select a target group in the Password Manager user interface. Subsequently, appropriate policy information is displayed and enforced.

Clearly, it is preferable to formulate a single password policy for all systems whenever possible, to eliminate the password complexity which Password Manager is designed to address in the first place.

List of Rules

Following is the complete list of password strength rules that can be enforced by Password Manager:

Password strength rules
Rule name	Type	Description
(1) Minimum length	Req/Warn	The smallest number of characters that a legal password can contain.
Maximum length	Req/Warn	The largest number of characters that a legal password can contain.
Require mixed case?	Req/Warn	Enable if passwords should contain both uppercase and lowercase characters.
Maximum no. of lower-case letters	Req/Warn	The largest number of lower-case letters that a legal password can contain.
Maximum no. of upper-case letters	Req/Warn	The largest number of upper-case letters that a legal password can contain.
Minimum no. of punctuation marks	Req/Warn	The smallest number of punctuation marks that a legal password can contain.
Maximum no. of punctuation marks	Req/Warn	The largest number of punctuation marks that a legal password can contain.
Minimum no. of inside punctuation marks	Req/Warn	Same as minimum punctuation marks, but not counting the first or last character of the password.
Minimum no. of letters	Req/Warn	The smallest number of letters that a password can contain.
Start with a letter?	Req/Warn	Enable to require all passwords to start with a letter. Useful for compatibility with some systems.
Minimum no. of digits	Req/Warn	The smallest number of digits that a legal password can contain.
Minimum no. of digits inside	Req/Warn	Same as minimum digits, but not counting the first or last character of the password.
No words from the (provided) dictionary	Req/Warn	The password, stripped of non-letter characters, may not match a word (consisting of four or more letters) from the dictionary. For example, the password word123 are not valid. The dictionary search is case-insensitive.
No exact word match from the dictionary.	Req/Warn	A password may not exactly match a dictionary word consisting of four or more letters. For example, the passwords w1o2r3d or word123 is valid. The password word is not valid. The dictionary search is case-insensitive.
No words from dictionary contained within password	Req/Warn	A password, stripped of non-letter characters, may not contain a dictionary word. For example, the password xyzword123 would not be valid. The dictionary search is case-insensitive.
No rearranged words from this dictionary	Req/Warn	A password, stripped of non-letter characters, may not be a dictionary word rearranged. For example, the password w1o2r3d4xyz would be valid. The password rdow123 would not be valid. The dictionary search is case-insensitive.
Not the user name?	Req/Warn	The user's name may not be used as the new password.
Not the user name backwards?	Req/Warn	Same as above, but with the letters in the name reversed.
Does not contain the user name?	Req/Warn	The user's name may not form part of the new password.
Does not contain the user name backwards?	Req/Warn	Same as above but with the letters in the name reversed.
Not a rearranged user name?	Req/Warn	Same as above but with the letters in the name rearranged in any way.
Does not match the first N characters of the user name?	Req/Warn	The new password may not contain the specified number of characters that begin the user name
Offer the user N random passwords	Req/Warn	Display N randomly-selected passwords, from which the user may choose a new password value. If the rule is required, the user must use one of the values provided as their new password.
Maximum number of character pairs	Req/Warn	The maximum number of pairs of the same character appearing consecutively in new, legal password values.
Require password to be approved by this plug-in	On/Off	An external program is called, to verify that a password is acceptable.
Warn if the password was not approved by this plug-in	On/Off	An external program is called, to verify that a password is desirable or not.
Mainframe compatible (8 chars; alpha/num or @$#)	Req/Warn	Intended for mainframe compatibility.
Password rules apply to the first N characters of the password	On/Off	Apply all other rules to a truncated version of the password typed by the user.
Record old passwords - never reuse them (password history)	Req/Warn	New passwords may not be the same as passwords that appear in a history file.
Store new password hash in history on successful change/reset	Req/Warn	Enforce password history by storing hashes of old passwords in the Password Manager database. Users will not be able to use old passwords.
Allow old passwords after N days	Req/Warn	Change the history rule, so that new passwords can be the same as old ones (in the history file), if they are over N days old.
Prompt users to change passwords every N days	Req/Warn	This only applies to password expiry based on the last time a user changed his password with Password Manager. Prompt the user to change passwords every N days.
Regular expressions	Req/Warn	Passwords may (not) match string patterns.
Password policy plug-ins	Req/Warn	Passwords quality is validated by customer-supplied plug-in program(s).

 

© Hitachi ID Systems, Inc. . All rights reserved.