Set Up Password Manager Policies

EmpowerID provides password management services enabling help desk password reset, end-user self-service password change and reset, and multi-directory password synchronization for external systems. These policies control the login and password self-service reset options a person receives when using EmpowerID. When EmpowerID is installed, all users discovered are assigned to the Default Password Manager Policy. You can modify this policy to meet your organization's needs or create new policies and assign those to users as desired.

In this topic, we demonstrate setting up Password Manager Policies by creating a new policy. The principles and settings discussed can be applied when existing password manager policies.

To set up password policies

On the navbar, expand Password Management and click Password & Login Policies.
Click the Add New Policy button.
In the General tab of the Policy Details form that appears, enter a name and description for the policy in the Name, Display Name and Description fields.
Set any of the optional settings explained below and click Save when finished.

In the Password Complexity section, you can use the default Windows complexity, or customize to a level of complexity that is right for your organization.

Select Password Use Windows Complexity to apply the same complexity algorithm used in Microsoft Active Directory, ignoring all other settings in this section.

Or:

Enter the minimum number of characters for passwords in the Min Length field, and
enter the maximum number of characters for passwords in the Max Length field, and
optionally use any of the custom settings in the below table.

Setting	Description

Setting	Description
Min Digits	Specifies the minimum number of digits required within passwords
Min Special Characters	Specifies the minimum number of special characters required within passwords
Maximum Pairs of Repeating Characters	Specifies the maximum number of repeating characters allowed within passwords
Restrict First X Characters Of Login	Specifies the number of characters from the beginning of the user name that are not allowed within passwords (e.g. 3 forbids the use of the first three letters of the user name within passwords)
Password Requires Mixed Case	Enforces the use of upper and lower case letters within passwords
Require Leading Letter	Enforces the use of a letter as the first character within passwords
Require Mainframe Compatibility	Enforces mainframe password format requirements (max 8 characters, no special characters)
Regular Expression Validator	Uses a regular expression to constrict and validate the use of characters within passwords (the RegEx is applied in addition to any other settings specified)
Password Prevent Username Words	Forbids the use of the user name in any part of passwords
Password Prevent Dictionary Words	Forbids the use of words contained in the selected dictionary within passwords
Dictionary Word Set	Allows you to select the dictionary of words that are forbidden within passwords*

In the Password Change Policy section, you can control whether and how often users must change passwords. You can accept the default behavior, or customize it with the settings in the table below.

Setting	Description

Setting	Description
Password Prevent Change	prevents users from changing their passwords
Password Allow Reuse After X Days	the number of days that must pass before users can reuse passwords from their password history
Password Allow Reuse After X Changes	the number of password changes that must occur before users can reuse passwords from their password history
Password Require Change Every X Days	the number of days after which users are required to change their password
Min Age to Allow Change (X Days)	the number of days users must wait before they are allowed to change their password
Notify X Days Before Expires	the number of days prior to password expiration to send email notifications to users (users must have an email account registered in EmpowerID)
ReNotify Every X Days	the number of days after which to send email reminders to users (reminders end when the user changes the password or the expiration date passes)
Password Expiration Notification	enable this workflow to allow EmpowerID to send these email alerts (see steps to enable it in the drop-down section below)

In order for users to receive email alerts of pending password notifications, you must enable the Password Expiration Notification permanent workflow.

On the Authentication Settings tab, you can accept the default settings for your Login Policy or customize them with the settings in the below table.

Setting	Description

Setting	Description
Min Login LoA if Local	Sets the minimum number of MFA points* required for users within your local network
Min Login LoA if Remote	Sets the minimum number of MFA points* required for users outside of your local network
Min Passwordless Login LoA if Local	Sets the minimum number of MFA points required for users using passwordless login from within your network
Min Passwordless Login LoA if Remote	Sets the minimum number of MFA points required for users using passwordless login from outside your network
Default Home Page	Sets the relative path to the page of the EmpowerID Web application that users see after they login (that portion of the page's URL that begins with the # symbol) e.g. https://<EmpowerIDServer>/UI/#N/ITShop/SelfService
Attempts Before Lockout	the number of times a user can log in incorrectly before being locked out (within the specified period of time set in the Login Lockout Failure Window field)
Login Lockout Failure Window	the number of minutes during which a user's failed attempts to log in may result in a lockout (the number of failed attempts as specified in the Attempts Before Lockout field)
Login Lockout Duration (Minutes)	the number of minutes during which a locked-out user cannot log in (if the Attempts Before Lockout number is exceeded within the Login Lockout Failure Window)
Allow Remembered Registered Device	Specifies whether to remember the devices that users register when using that MFA method
Allow Remember Registered Device X Days	Sets the number of days to remember registered devices when Allow Remembered Registered Device X Days is seleted

*MFA points are multi-factor authentication points. Points start at 0 and can be incremented as needed. When the value is greater than 0, users must accumulate the required number of points before access is granted.

**If you leave the Default Home Page field blank, the home page defaults to the user's personal dashboard. You can also set the default home page directly on a person. Home pages set directly on a person take precedence over home page settings on Password Manager policies. For more information, see Setting Home Pages.

You can customize your one-time password lock policy settings here.

Setting	Description

Setting	Description
One Time Password Attempts Before Lockout	Specifies the number of times a user can log in incorrectly before being locked out (within the period of time set in the One Time Password Attempts Window field)
One Time Password Attempts Window (Minutes)	Specifies the number of minutes during which a user's failed attempts to log in may result in a lockout (the number of failed attempts as set in the One Time Password Attempts Before Lockout field)
One Time Password Lockout Duration (Minutes)	Specifies the number of minutes during which a locked-out user cannot log in (if the One Time Password Attempts Before Lockout number is exceeded within the One Time Password Attempts Window)

For those using the EmpowerID Virtual Directory server, you can specify settings here.

Setting	Description

Setting	Description
Allow LDAP Authentication	Allows users in the Virtual Directory to authenticate to EmpowerID
Require 2nd Factor for LDAP	Requires Virtual Directory users to perform multi-factor authentication (users must have an OATH token)
Enable Login if no Token Assigned	Allows Virtual Directory users who have yet to receive an OATH token to log in

Create Challenge Questions

Assign Challenge Questions

Help Desk Password Reset

Reset Passwords

Send One-Time Passwords