About Password Manager Policies
The Password Manager Policy lies at the heart of the password management infrastructure, governing login restrictions, password complexity requirements, self-service password reset options, and user enrollment for managing passwords in EmpowerID or any application using EmpowerID for login protection. While a single default Password Manager Policy is included in the standard implementation of EmpowerID, organizations can create and assign multiple policies tailored to their specific needs.
Password Policy
The Password Policy sets the rules for valid passwords, including:
Password Complexity Section
Password Uses Windows Complexity: Applies Active Directory's complexity algorithm to the password policy (default: True).
Min Length: Minimum number of characters for passwords (default: 6).
Max Length: Maximum number of characters for passwords (default: 24).
Min Digits: Minimum number of digits required (default: none).
Min Special Characters: Minimum number of special characters required (default: none).
Maximum Pairs of Repeating Characters: Limits repeating characters (e.g., "aa" or "22") in passwords (default: 0, no repeats allowed).
Restrict First X Characters of Login: Restricts the use of the first X characters of a user's login in their password (default: 0, no restriction).
Password Require Mixed Case: Requires mixed upper and lower case characters in passwords.
Require Leading Letter: Requires passwords to begin with a letter (default: False).
Require Mainframe Compatibility: Enforces mainframe password format requirements (min. 6, max. 10 characters, no special character) (default: False).
Password Prevent UserName Words: Restricts the use of user names in passwords (default: True).
Regular Expression Validator: Specifies a regular expression for validating password character usage, applied in addition to other settings (default: none).
Password Prevent Dictionary Words: Restricts the use of words from the Default Blocked Words dictionary in passwords (default: True).
PasswordDictionaryWordSetID: Specifies the Password Dictionary associated with the policy, only visible when "Password Prevent Dictionary Words" is set to True.
Password Change Policy Section
Password Prevent Change: Specifies whether users are to be prevented from changing their passwords. The Default Password Policy is set to False, meaning users can change passwords.
Password Allow Reuse After X Days: Specifies the number of days that must pass before users can reuse an old password. The Default Password Manager Policy is set to 0, meaning no day restrictions are applied.
Password Require Change Every X Days: Specifies a period of days a user can have a password before that password must be changed. The Default Password Manager Policy is set to 0, meaning users are not required to change their passwords.
Min Age to Allows Change (X Days): Specifies the number of days that must pass before users can change their passwords. The Default Password Manager Policy is set to 0.
Notify X Days Before Expires: Specifies the number days prior to a user's password expiring that must occur before EmpowerID sends the user a notification of the pending expiration. The Default Password Manager Policy setting is 14 days, meaning EmpowerID will send users an email notification of a pending expiration 14 days before the expiration is to occur. Users must have a valid email that is registered in EmpowerID in order to receive notifications.
ReNotify Every X Days: Specifies the number of days that should occur before EmpowerID sends additional password expiration notifications to users with pending password expirations. The Default Password Manager Policy setting is 2 days, meaning users with pending expirations will receive additional notification every two days until either they reset their password or it expires.
Authentication Settings
The Authentication Settings specifies the default home page for each user assigned to the policy, as well as the login features of the policy. The settings for this aspect of the Password Manager Policy include the following:
Login Policy Section
Min Login LoA if Local: Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web from a subnet classified as "local." If the min LoA is not met, the user will be prompted for MFA.
Min Login LoA if Remote: Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web from a subnet classified as "remote." If the min LoA is not met, the user will be prompted for MFA.
Min Passwordless Login LoA if Local: Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web using passwordless login from a subnet classified as "local.” If the min LoA is not met, the user will be prompted for MFA.
Min Passwordless Login LoA if Remote: Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users logging into the web using passwordless login from a subnet classified as "remote.” If the min LoA is not met, the user will be prompted for MFA.
Default Home Page: Specifies the home page of the EmpowerID Web application to which users with the policy are directed upon successfully logging in. So, for example, if you want the home page to be the Self-Service Workflows page of the IT Shop, and the full URL for accessing that page is
https://<YourEmpowerIDServer>/UI/#N/ITShop/SelfService
, you would enter #N/ITShop/SelfService in this field. Other examples include:Find Personpage: #Common/Find/Person
Tasks To Do: #Common/Find/TasksToDo
Attempts Before Lockout: Specifies the number of times a user with the policy can incorrectly attempt to log in (within the period of time set for the Login Lockout Failure Windows setting.
Login Lockout Failure Window: Specifies the length of time in minutes a user who has become locked out due to submitting an incorrect password must wait before they can login.
Login Lockout Duration (Minutes): Specifies the length of time in minutes (sliding window) during which the number of login failures must occur in order to trigger a lockout. If the value specified for the Login Lockout After X Failures is exceeded within the sliding window, locked-out users are prevented from logging in for the number of minutes specified here.
Allow Remember Registered Device: Specifies whether users with the policy can opt to have the system remember their devices when logging in.
Allow Remember Registered Device X Days: Specifies the number of days the system “remembers” their registered devices, after which users must register their devices again.
Default FIDO2 Registration Capability: Specifies the default type of FIDO2 Web authentication for users with the password policy. Options include:
MFA: Users authenticate by presenting their username, password, and FIDO2 credential
Passwordless Login: Users authenticate by presenting their username, FIDO2 credential, and a PIN / biometric
Usernameless Login: Users authenticate by presenting their FIDO2 resident key credential and a PIN/biometric
One-Time Password Lockout Policy Section
One-Time Password Attempts Before Lockout: Specifies the number of times a user with the policy can incorrectly attempt to log in using a one-time password (within the period of time set for the Login Lockout Failure Windows setting.
One-Time Password Login Lockout Failure Window: Specifies the length of time in minutes a user who has become locked out due to submitting an incorrect password must wait before they can login.
One-Time Password Login Lockout Duration (Minutes): Specifies the length of time in minutes (sliding window) during which the number of login failures when using a one-time password must occur in order to trigger a lockout. If the value specified for the One-Time Login Lockout After X Failures is exceeded within the sliding window, locked out users are prevented from logging in for the number of minutes specified here.
LDAP Policy
The LDAP Policy specifies the requirements for logging in using LDAP servers.
Allow LDAP Authentication: Allows users to authenticate to EmpowerID using the EmpowerID LDAP Virtual Directory.
Require 2nd Factor for LDAP: Specifies whether users logging in to the Web application through LDAP must use 2 factors, such as their user name and password and a software token.
Enable Token if no Token Assigned: Specifies whether LDAP users without an assigned token can self-service provision one for LDAP authentication.
RADIUS Policy
The RADIUS Policy specifies the requirements for logging in using RADIUS devices.
Allow RADIUS Authentication: Specifies whether users with the policy can authenticate from RADIUS devices.
Require 2nd Factor for RADIUS: Specifies whether users logging in to the Web application from RADIUS devices must use 2 factors, such as their user name and password and a software token.
Allow RADIUS token if no Token Assigned: Specifies whether RADIUS users without an assigned token can self-service provision one for RADIUS authentication.
Custom Login Handler Section
Login Handler Assembly: Specify a .NET assembly to load that overrides the interface methods supported by EmpowerID
Login Handler Type: Specify a fully qualified .NET type name to load that overrides the interface methods supported by EmpowerID
Self-Service Password Reset Settings
These settings specify the requirements for enrolling in Password Self-Service Reset. Password Self-Service Reset is a feature that allows users who forget their password to reset it themselves by answering a series of challenge questions.
Password Reset Recovery Settings Section
Enable Multifactor Reset During Recovery: Specifies whether users in the policy must perform MFA in the anonymous self-service password reset workflow.
Enable Question Answer Reset During Recovery: Specifies whether users in the policy must perform question and answer challenges in the anonymous self-service password reset workflow.
Force Enrollment During Login: Specifies whether users must enroll for question and answer challenge Password Self-Service Reset during their first login. Set to true on the default policy.
Password Reset MultiFactor Settings Section
This section only appears if Enable Multifactor Reset During Recovery is enabled.
Min Reset LoA if Local: Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users performing anonymous self-service password reset from a subnet classified as "local". Users will be asked to perform additional methods of MFA until the min LoA is met.
Min Reset LoA if Remote: Specifies the required Level of Assurance (LoA) or "MFA Trust Points" required for users performing anonymous self-service password reset from a subnet classified as "remote". Users will be asked to perform additional methods of MFA until the min LoA is met.
Password Reset Enrollment Settings
This section only appears if Enable Question Answer Reset During Recovery is enabled.
Number of Custom Questions Asked for Enrollment: Specifies the number of user-defined password challenge questions users need to create when enrolling for Password Self-Service Reset. The default policy requires users to provide one custom question.
Number of Selectable Questions Asked for Enrollment: Specifies the number of pre-defined password challenge questions users need to answer when enrolling for Password Self-Service Reset. The questions selected and the answers provided establishes the pool of questions used for a particular user during the password reset process. The default policy requires users to select one question.
Number of Helpdesk Questions Asked for Enrollment: Specifies the number of pre-defined Help Desk questions for which users need to provide an answer when enrolling for Password Self-Service Reset. Users who forget their password and contact the Help Desk can have their passwords reset by the Help Desk if they successfully answer this question. The default policy requires users to answer one question.
Expire Enrollment After (Days): Specifies the number of days to occur before the current enrollment policy expires, based on whether Enrollment Expiration Enabled is set to true. If Enrollment Expiration Enabled is set to true, the policy expires after the specified number of days and users must re-enroll for Password Self-Service Reset.
Number of Recovery Questions Asked for Password Reset: Specifies the number of challenge questions posed to users resetting a forgotten password. These questions help identity the anonymous user and were specified by that user when they enrolled for Password Self-Service Reset. The default policy requires users to answer three questions.
Number of Recovery Minimum Answers for Password Reset: Specifies the number of challenge questions that must be answered correctly before users can reset their passwords. The default policy requires two correct answers.
Enrollment Prevent Duplicate Answers: Specifies whether users can use the same answer for more than one password challenge question. The default setting prevents users from doing so.
Enrollment Prevent Question Word in Answer: Specifies whether users can use a word in the password challenge question to answer the question. The default setting prevents users from doing so.
Enrollment Expiration Enabled: Specifies whether an enrollment policy has an expiration. If set to true, user must re-enroll for Password Self-Service Reset when the enrollment policy expires. This option is set to false on the default policy.
Password Reset Lockout Settings Section
Enable Reset Center Lockout Policy: Specifies whether anonymous users must abide by the settings applied to the Password Enrollment features of the policy to reset their passwords. The Default Password Manager Policy is set to True.
Allow X Attempts Before Lockout: Specifies the number of time the current anonymous user fail to answer their challenge questions before being lock out of the reset process. The Default Password Manager Policy setting is 5.
During an X Minute Window: Used in conjunction with the Allow X Attempts Before Lockout setting, this setting specifies the sliding window of time during which users who incorrectly answer their challenge questions become locked out of the reset process. The Default Password Manager Policy is set to 15 minutes.
Lockout Duration: Used in conjunction with the Allow X Attempts Before Lockout and During an X Minute Window settings, this setting specifies the period of time in minutes users who incorrectly answer their challenge questions remain locked out of the reset process. The Default Password Manager Policy is set to 60 minutes.
Bypass Min Password Age: If the policy requires passwords to be a certain age (in days) before users can change them, this setting specifies whether users who forget their password can bypass the age requirements and reset the password. This setting only has effect if the Min Age To Allow Change (X Days) setting is set to a number other than 0.
Bypass Password History: If the policy disallows the use of a certain number of prior passwords during password reset, this setting specifies whether users who forget their password can bypass the requirement and reset the password with one of those prior passwords. This setting only has an effect if the Password Allow Reuse After X Days setting is set to a number other than 0.
For an example of working with these settings, see Setting Up Password Manager Policies.
IN THIS ARTICLE