You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

About Password Manager Policies

EmpowerID provides password management services to enable help desk password reset, end-user self-service password change and reset, and multi-directory password synchronization for external systems such as Active Directory, LDAP, Office 365, Google, and others. In much the same manner as banking and e-commerce websites, EmpowerID provides for a secure enrollment process involving security challenge questions and a secure, anonymous reset capability in which a user answers challenge questions and then enters a new password. Each of these processes can be initiated through published links that can be placed on portal sites or other common corporate areas.

User-provided passwords are stored as non-reversible SHA-512 hashes, computed with a unique salt (unique per user and not accessible outside the system). These safeguards make it virtually impossible to reverse-discover a user’s password, even if the stored hash is inadvertently exposed. During authentication, the hash is computed with the user-supplied value (and system-supplied salt) and compared to what is stored in the database; the user’s password is considered valid if both hashes match. Safeguards are put in place to prevent brute-force attacks that attempt to guess a user’s password.

Password Manager Policies

At the core of the password management infrastructure is the Password Manager Policy. These policies define login restrictions, password complexity requirements, self-service password reset options, and enrollment requirements that govern a user's ability to manage their own passwords or log in to EmpowerID or any application using EmpowerID for login protection. The standard implementation of EmpowerID includes a single default Password Manager Policy that is applied to the entire enterprise. This policy has a number of settings that can be customized for an organization's environment, and new policies can be created, allowing for the assignment of multiple or different policies to users based on the organization's requirements. The Default Password Manager Policy, as well as any additional policies that are created, contain the following policy options:

Password Policy

The Password Policy specifies the requirements that must be met for a password to be valid. The settings for this aspect of the Password Manager Policy include the following:

Password Complexity Section

  • Password Uses Windows Complexity – Applies the same complexity algorithm used in Active Directory to the password policy. The default setting for the Default Password Manager Policy is True.

  • Min Length – Specifies the minimum number of characters that must be used when setting a password. The Default Password Manager Policy specifies 6 characters.

  • Max Length – Specifies the maximum number of characters that can be used when setting a password. The Default Password Manager Policy specifies 24 characters.

  • Min Digits – Specifies the minimum number of digits that must be used when setting a password. The Default Password Manager Policy specifies no characters.

  • Min Special Characters – Specifies the minimum number of special characters that must be used when setting a password. The Default Password Manager Policy specifies no characters.

  • Maximum Pairs of Repeating Characters – Specifies the maximum number of times repeating characters, such as "aa" or "22" can be used when setting a password. The Default Password Manager Policy is set to 0, meaning no repeating characters can be used.

  • Restrict First X Characters of Login – Specifies the number of first characters of a user's login (user name) that cannot be used when setting a password. So, for example, if a user's login is "pplacher," and this setting restricted the first three characters, the user could not use the letters "p" and "l" in their password. The default Password Manager Policy is set to 0, meaning users can use any of the letters in the login.

  • Password Require Mixed Case – Specifies whether users must use passwords with mixed upper and lower case characters.

  • Require Leading Letter – Specifies whether the password must be begin with a letter. The default Password Manager Policy is set to False.

  • Require Mainframe Compatibility – Specifies whether to enforce mainframe password format requirements (min. of six and max of ten characters, no special character). The default Password Manager Policy is set to false.

  • Password Prevent UserName Words –  Specifies whether user names can be used in passwords. The Default Password Manager Policy prevents users from doing so.

  • Regular Expression Validator – Specifies the regular expression to be used for specifying and validating the use of characters that can be used to create a password. If this field is set with a regex value, the regular expression is applied in addition to any other settings specified. No regex is applied to the Default Password Manager Policy.

  • Password Prevent Dictionary Words – Specifies whether users are to be restricted from using the words in the Default Blocked Words dictionary. The default Password Manager Policy is set to True and the default dictionary contains hello, goodbye and password.

  • PasswordDictionaryWordSetID – Specifies the specific Password Dictionary associated with the policy. This setting only appears when Password Prevent Dictionary Words is set to True.

Password Change Policy Section

  • Password Prevent Change – Specifies whether users are to be prevented from changing their passwords. The Default Password Policy is set to False, meaning users can change passwords.

  • Password Allow Reuse After X Days – Specifies the number of days that must pass before users can reuse an old password. The Default Password Manager Policy is set to 0, meaning no day restrictions are applied.

  • Password Require Change Every X Days – Specifies a period of days a user can have a password before that password must be changed. The Default Password Manager Policy is set to 0, meaning users are not required to change their passwords.

  • Min Age to Allows Change (X Days) – Specifies the number of days that must pass before users can change their passwords. The Default Password Manager Policy is set to 0.

  • Notify X Days Before Expires –  Specifies the number days prior to a user's password expiring that must occur before EmpowerID sends the user a notification of the pending expiration. The Default Password Manager Policy setting is 14 days, meaning EmpowerID will send users an email notification of a pending expiration 14 days before the expiration is to occur. Users must have a valid email that is registered in EmpowerID in order to receive notifications.

  • ReNotify Every X Days – Specifies the number of days that should occur before EmpowerID sends additional password expiration notifications to users with pending password expirations. The Default Password Manager Policy setting is 2 days, meaning users with pending expirations will receive additional notification every two days until either they reset their password or it expires.

Authentication Settings

The Authentication Settings specifies the default home page for each user assigned to the policy, as well as the login features of the policy. The settings for this aspect of the Password Manager Policy include the following:

Login Policy Section

  • Min Login LoA if Local – Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web from a subnet classified as "local". If the min LoA is not met, the user will be prompted for MFA.

  • Min Login LoA if Remote – Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web from a subnet classified as "remote". If the min LoA is not met, the user will be prompted for MFA.

  • Min Passwordless Login LoA if Local – Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web using passwordless login from a subnet classified as "local". If the min LoA is not met, the user will be prompted for MFA.

  • Min Passwordless Login LoA if Remote – Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web using passwordless login from a subnet classified as "remote". If the min LoA is not met, the user will be prompted for MFA.

  • Default Home Page – Specifies the home page of the EmpowerID Web application to which users with the policy are directed upon successfully logging in. So for example, if you want the home page to be the Self-Service Workflows page of the IT Shop, and the full URL for accessing that page is https://<YourEmpowerIDServer>/UI/#N/ITShop/SelfService, you would enter #N/ITShop/SelfService in this field. Other examples include:

    • Find Personpage –  #Common/Find/Person

    • Tasks To Do – #Common/Find/TasksToDo

  • Attempts Before Lockout – Specifies the number of times a user with the policy can incorrectly attempt to log in (within the period of time set for the Login Lockout Failure Windows setting.

  • Login Lockout Failure Window – Specifies the length of time in minutes a user who has become locked out due to submitting an incorrect password must wait before they can login.

  • Login Lockout Duration (Minutes) – Specifies the length of time in minutes (sliding window) during which the number of login failures must occur in order to trigger a lockout. If the value specified for the Login Lockout After X Failures is exceeded within the sliding window, locked out users are prevented from logging in for the number of minutes specified here.

  • Allow Remember Registered Device – Specifies whether users with the policy can opt to have the system remember their devices when logging in.

  • Allow Remember Registered Device X Days – Specifies the number of days the system “remembers” their registered devices, after which, users must register their devices again.

  • Default FIDO2 Registration Capability – Specifies the default type of FIDO2 Web authentication for users with the password policy. Options include:

    • MFA – Users authenticate by presenting their username, password, and FIDO2 credential

    • Passwordless Login – Users authenticate by presenting their username, FIDO2 credential, and a PIN / biometric

    • Usernameless Login – Users authenticate by presenting their FIDO2 resident key credential and a PIN/biometric

One-Time Password Lockout Policy Section

  • One-Time Password Attempts Before Lockout – Specifies the number of times a user with the policy can incorrectly attempt to log in using a one-time password (within the period of time set for the Login Lockout Failure Windows setting.

  • One-Time Password Login Lockout Failure Window – Specifies the length of time in minutes a user who has become locked out due to submitting an incorrect password must wait before they can login.

  • One-Time Password Login Lockout Duration (Minutes) – Specifies the length of time in minutes (sliding window) during which the number of login failures when using a one-time password must occur in order to trigger a lockout. If the value specified for the One-Time Login Lockout After X Failures is exceeded within the sliding window, locked out users are prevented from logging in for the number of minutes specified here.

LDAP Policy

The LDAP Policy specifies the requirements for logging in using LDAP servers.

  • Allow LDAP Authentication – Allows users to authenticate to EmpowerID using the EmpowerID LDAP Virtual Directory.

  • Require 2nd Factor for LDAP – Specifies whether users logging in to the Web application through LDAP must use 2 factors, such as their user name and password and a software token.

  • Enable Token if no Token Assigned – Specifies whether LDAP users without an assigned token can self-service provision one for LDAP authentication.

RADIUS Policy

The RADIUS Policy specifies the requirements for logging in using RADIUS devices.

  • Allow RADIUS Authentication – Specifies whether users with the policy can authenticate from RADIUS devices.

  • Require 2nd Factor for RADIUS – Specifies whether users logging in to the Web application from RADIUS devices must use 2 factors, such as their user name and password and a software token.

  • Allow RADIUS token if no Token Assigned – Specifies whether RADIUS users without an assigned token can self-service provision one for RADIUS authentication.

Custom Login Handler Section

  • Login Handler Assembly – Specify a .NET assembly to load that overrides the interface methods supported by EmpowerID

  • Login Handler Type – Specify a fully qualified .NET type name to load that overrides the interface methods supported by EmpowerID

Self-Service Password Reset Settings

These settings specify the requirements for enrolling in Password Self-Service Reset. Password Self-Service Reset is a feature that allows users who forget their password to reset it themselves by answering a series of challenge questions.

Password Reset Recovery Settings Section

  • Enable Multifactor Reset During Recovery – Specifies whether users in the policy must perform MFA in the anonymous self-service password reset workflow. 

  • Enable Question Answer Reset During Recovery – Specifies whether users in the policy must perform question and answer challenge in the anonymous self-service password reset workflow. 

  • Force Enrollment During Login – Specifies whether users must enroll for question and answer challenge Password Self-Service Reset during their first login. Set to true on the default policy.

Password Reset MultiFactor Settings Section

This section only appears if Enable Multifactor Reset During Recovery is enabled.

  • Min Reset LoA if Local – Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users performing anonymous self-service password reset from a subnet classified as "local". Users will be asked to perform additional methods of MFA until the min LoA is met.

  • Min Reset LoA if Remote – Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users performing anonymous self-service password reset from a subnet classified as "remote". Users will be asked to perform additional methods of MFA until the min LoA is met.

Password Reset Enrollment Settings

This section only appears if Enable Question Answer Reset During Recovery is enabled.

  • Number of Custom Questions Asked for Enrollment – Specifies the number of user-defined password challenge questions users need to create when enrolling for Password Self-Service Reset. The default policy requires users to provide one custom question.

  • Number of Selectable Questions Asked for Enrollment – Specifies the number of pre-defined password challenge questions users need to answer when enrolling for Password Self-Service Reset. The questions selected and the answers provided establishes the pool of questions used for a particular user during the password reset process. The default policy requires users to select one question.

  • Number of Helpdesk Questions Asked for Enrollment – Specifies the number of pre-defined Help Desk questions for which users need to provide an answer when enrolling for Password Self-Service Reset. Users who forget their password and contact the Help Desk can have their passwords reset by the Help Desk if they successfully answer this question. The default policy requires users to answer one question.

  • Expire Enrollment After (Days) – Specifies the number of days to occur before the current enrollment policy expires, based on whether Enrollment Expiration Enabled is set to true. If Enrollment Expiration Enabled is set to true, the policy expires after the specified number of days and users must re-enroll for Password Self-Service Reset.

  • Number of Recovery Questions Asked for Password Reset – Specifies the number of challenge questions posed to users resetting a forgotten password. These questions help identity the anonymous user and were specified by that user when they enrolled for Password Self-Service Reset. The default policy requires users to answer three questions.

  • Number of Recovery Minimum Answers for Password Reset – Specifies the number of challenge questions that must be answered correctly before users can reset their passwords. The default policy requires two correct answers.

  • Enrollment Prevent Duplicate Answers – Specifies whether users can use the same answer for more than one password challenge question. The default setting prevents users from doing so.

  • Enrollment Prevent Question Word in Answer – Specifies whether users can use a word in the password challenge question to answer the question. The default setting prevents users from doing so.

  • Enrollment Expiration Enabled – Specifies whether an enrollment policy has an expiration. If set to true, user must re-enroll for Password Self-Service Reset when the enrollment policy expires. This option is set to false on the default policy.

Password Reset Lockout Settings Section

  • Enable Reset Center Lockout Policy – Specifies whether anonymous users must abide by the settings applied to the Password Enrollment features of the policy to reset their passwords. The Default Password Manager Policy is set to True.

  • Allow X Attempts Before Lockout – Specifies the number of time the current anonymous user fail to answer their challenge questions before being lock out of the reset process. The Default Password Manager Policy setting is 5.

  • During an X Minute Window – Used in conjunction with the Allow X Attempts Before Lockout setting, this setting specifies the sliding window of time during which users who incorrectly answer their challenge questions become locked out of the reset process. The Default Password Manager Policy is set to 15 minutes.

  • Lockout Duration – Used in conjunction with the Allow X Attempts Before Lockout and During an X Minute Window settings, this setting specifies the period of time in minutes users who incorrectly answer their challenge questions remain locked out of the reset process. The Default Password Manager Policy is set to 60 minutes.

  • Bypass Min Password Age – If the policy requires passwords to be a certain age (in days) before users can change them, this setting specifies whether users who forget their password can bypass the age requirements and reset the password. This setting only has effect if the Min Age To Allow Change (X Days) setting is set to a number other than 0.

  • Bypass Password History – If the policy disallows the use of a certain number of prior password during password reset, this setting specifies whether users who forget their password can bypass the requirement and reset the password with one of those prior passwords. This setting only has effect if the Password Allow Reuse After X Days setting is set to a number other than 0.

IN THIS ARTICLE