Set Up Password Manager Policies
- Phillip Hanegan
Password policies play a critical role in maintaining secure access to an organization's sensitive data. By implementing custom password policies, organizations can enforce password complexity requirements, expiration rules, and other criteria that protect user accounts from unauthorized access. EmpowerID allows you to create and manage custom password policies that cater to your organization's unique security needs.
By default, EmpowerID assigns users discovered during inventory to the Default Password Manager Policy. You can modify this policy to meet your organization's needs or create new policies and assign those to users as desired.
In this topic, we demonstrate setting up Password Manager Policies by creating a new policy. The principles and settings discussed can be applied to existing password manager policies.
Set up password policies
On the navbar, expand Password Management and click Password & Login Policies.
Click the Add New Policy button.
Â
In the General tab of the Policy Details form that appears, enter a name and description for the policy in the Name, Display Name, and Description fields.Â
Set any of the optional settings explained below and click Save when finished.
General Settings - Password Complexity Settings
In the Password Complexity section, you can use the default Windows complexity or customize it to a level of complexity that is right for your organization.
Select Password Use Windows Complexity to apply the same complexity algorithm used in Microsoft Active Directory, ignoring all other settings in this section.
OR:Enter the minimum number of characters for passwords in the Min Length field, and
enter the maximum number of characters for passwords in the Max Length field, and
optionally use any of the custom settings in the below table.
Setting | Description |
|---|---|
Min Digits | Specifies the minimum number of digits required within passwords |
Min Special Characters | Specifies the minimum number of special characters required within passwords |
Maximum Pairs of Repeating Characters | Specifies the maximum number of repeating characters allowed within passwords |
Restrict First X Characters Of Login | Specifies the number of characters from the beginning of the user name that are not allowed within passwords |
Password Requires Mixed Case | Enforces the use of upper and lower case letters within passwords |
Require Leading Letter | Enforces the use of a letter as the first character within passwords |
Require Mainframe Compatibility | Enforces mainframe password format requirements (max 8 characters, no special characters) |
Regular Expression Validator | Uses a regular expression to constrict and validate the use of characters within passwords |
Password Prevent Username Words | Forbids the use of the user name in any part of passwords |
Password Prevent Dictionary Words | Forbids the use of words contained in the selected dictionary within passwords  |
Dictionary Word Set | Allows you to select the dictionary of words that are forbidden within passwords EmpowerID includes two Dictionary Word Sets, each with its own collection of blocked words. You can customize these by adding new words to them or create your own as needed. For information on how to create and configure a Dictionary Word Set, see Configure Dictionary Words for Password Policies. |
General Settings - Password Change Policy Settings
In the Password Change Policy section, you can control whether and how often users must change passwords. You can accept the default behavior, or customize it with the settings in the table below.
Setting | Description |
|---|---|
Password Prevent Change | prevents users from changing their passwords |
Password Allow Reuse After X Days | Specifies the number of days that must pass before users can reuse passwords from their password history |
Password Allow Reuse After X Changes | Specifies the number of password changes that must occur before users can reuse passwords from their password history |
Password Require Change Every X Days | Specifies the number of days after which users are required to change their password |
Min Age to Allow Change (X Days) | Specifies the number of days users must wait before they are allowed to change their password |
Notify X Days Before Expires | Specifies the number of days prior to password expiration to send email notifications to users |
ReNotify Every X Days | Specifies the number of days after which to send email reminders to users |
Password Expiration Notification | Specifies whether to enable this workflow to allow EmpowerID to send these email alerts |
In order for users to receive email alerts of pending password notifications, you must enable the Password Expiration Notification permanent workflow.
Authentication Settings - Login Policy Settings
On the Authentication Settings tab, you can accept the default settings for your Login Policy or customize them with the settings in the below table.
Setting | Description |
|---|---|
Min Login LoA if Local | Sets the minimum number of MFA points* required for users within your local network |
Min Login LoA if Remote | Sets the minimum number of MFA points* required for users outside of your local network |
Min Passwordless Login LoA if Local | Sets the minimum number of MFA points required for users using passwordless login from within your network |
Min Passwordless Login LoA if Remote | Sets the minimum number of MFA points required for users using passwordless login from outside your network |
Default Home Page | Sets the relative path to the page of the EmpowerID Web application that users see after they login |
Attempts Before Lockout | Specifies the number of times a user can log in incorrectly before being locked out |
Login Lockout Failure Window | Specifies the number of minutes during which a user's failed attempts to log in may result in a lockout |
Login Lockout Duration (Minutes) | Specifies the number of minutes during which a locked-out user cannot log in |
Allow Remembered Registered Device | Specifies whether to remember the devices that users register when using that MFA method |
Allow Remember Registered Device X Days | Sets the number of days to remember registered devices when Allow Remembered Registered Device X Days is seleted |
Authentication Settings - One-Time Password Lock-Out Policy Settings
You can customize your one-time password lock policy settings here.
Setting | Description |
|---|---|
One Time Password Attempts Before Lockout | Specifies the number of times a user can log in incorrectly before being locked out |
One Time Password Attempts Window (Minutes) | Specifies the number of minutes during which a user's failed attempts to log in may result in a lockout |
One Time Password Lockout Duration (Minutes) | Specifies the number of minutes during which a locked-out user cannot log in |
Authentication Settings - LDAP Policy Settings
For those using the EmpowerID Virtual Directory server, you can specify settings here.
Setting | Description |
|---|---|
Allow LDAP Authentication | Allows users in the Virtual Directory to authenticate to EmpowerID |
Require 2nd Factor for LDAP | Requires Virtual Directory users to perform multi-factor authentication |
Enable Login if no Token Assigned | Allows Virtual Directory users who have yet to receive an OATH token to log in |
Authentication Settings - RADIUS Policy Settings
For those using the EmpowerID RADIUS service, you can specify settings here.
Setting | Description |
|---|---|
Allow RADIUS Authentication | Allows RADIUS users to authenticate to EmpowerID |
Require 2nd Factor for RADIUS | Requires RADIUS users to perform multi-factor authentication |
Enable RADIUS Login if no Token Assigned | Allow RADIUS users who have yet to receive an OATH token to log in |
Authentication Settings - Custom Login Handler
For those who have created a custom login handler, you can specify it here.
Setting | Description |
|---|---|
Login Handler Assembly | Specifies the custom assembly containing your login handler |
Login Handler Type | Specifies the type of the login handler |
Self-Service Password Reset Settings - Password Reset Recovery Settings
Password Manager offers a flexible workflow-based process that allows users to reset forgotten passwords and unlock their locked accounts once they have enrolled in the Password Recovery Center and supplied answers to a select number of self-identifying questions as dictated by your Password Manager policy. Depending on how you set up your Password Manager policies, you can force new users to enroll for password self-service at their initial login or allow them to make that decision themselves.
Settings | Description |
|---|---|
Enable Multifactor Reset During Recovery | Specifies whether users must go through MFA when resetting forgotten passwords. If enabled, you need to set the minimum number of LoA (level of assurance) points local and remote users must accumulate in order to reset their passwords. |
Enable Question Answer Reset During Recovery | Specifies whether users must answer their personal challenge questions when resetting forgotten passwords. If enabled, you need to configure Password Reset Enrollment Settings. |
Force Enrollment During Login | Specifies whether users must enroll for password self-service reset during their first login |
Self-Service Passsword Reset - Password Reset Multifactor Settings
If you enable multifactor reset during recovery, use these settings.
Setting | Description |
|---|---|
Min Reset LoA if Local | Specifies the minimum number of LoA points users within your network must accumulate before they can reset forgotten passwords. |
Min Reset LoA if Remote | Specifies the minimum number of LoA points users outside of your network must accumulate before they can reset forgotten passwords. |
Self-Service Password Reset - Password Reset Enrollments Settings
If you enable question and answer reset during recovery, use these settings.
Setting | Description |
|---|---|
Number of Custom Questions Asked for Enrollment | Specifies the number of Password Challenge questions that users must create and answer during enrollment to identify themselves for self-service reset |
Number of Selectable Questions Asked for Enrollment | Specifies the number of predefined questions that users must answer during enrollment to establish the pool of questions to use for self-service reset |
Number of Help Desk Questions Asked for Enrollment | Specifies the number of predefined Helpdesk questions that users must answer during enrollment that the Help Desk can use to verify the user for reset |
Expire Enrollment After (Days) | Specifies the number of days that an enrollment remains valid before users are forced to re-enroll for password self-service reset |
Number of Recovery Questions Asked for Password Reset | Specifies the number of password recovery questions to ask users who cannot remember their passwords |
Number of Recovery Minimum Answers for Password Reset | Specifies the minimum number of password challenge questions users must answer correctly before they can set a password |
Enrollment Prevent Duplicate Answers | Restricts users from re-using the same answer in response to multiple challenge questions |
Enrollment Prevent Question Word in Answer | Restricts users from re-using any of the question words in their answer to the question |
Enrollment Expiration Enabled | Forces users to re-enroll for password self-service reset after the number of days specified in Expire Enrollment After (Days) |
Self-Service Password Reset Settings - Password Reset Lockout Settings
Use these settings for configuring lockout policy for password self-service reset.
Setting | Description |
|---|---|
Enable Reset Center Lockout Policy | Locks anonymous users out of the Password Reset Center in accordance with the settings applied to the fields of this section |
Allow X Attempts Before Lockout | Specifies the number of times users can incorrectly answer their password challenge questions before being locked out of the recovery center |
During an X Minute Window | Specifies the number of minutes in a sliding window during which the number of incorrect challenge question answers occur before lockout |
Lockout Duration | Specifies the number of minutes that locked-out users must wait before they can use the Recovery Center again |
Bypass Min Password Age | Allows users who forget their password to bypass the password age requirements specified in Min Age To Allow Change (X Days)Â |
Bypass Password History | Allows users who forget their password to bypass the password history requirements specified in Password Allow Reuse After X Days |
User Agreements
User Agreements are set on the View page for Password Manager Policies. To navigate to a Password Manager Policy's View page, search for that policy on the Password & Login Policies page (accessible at https://<YourEmpowerIDServer>/ui/#Common/Find/PasswordManagerPolicy) and click the Display Name link for it.Â
On the View page for the Password Manager Policy, expand the User Agreements accordion.
Click the Add New button and enter the following information:
Name – The name of the user agreement to store in the database.
Display Name – The friendly name of the user agreement to display in the grid.
Usage Agreement Text (HTML) – Text of the Usage Agreement. The text needs to be entered in HTML format.
Description – Description of the Usage Agreement.
Priority (Lower is Higher) – Sets the priority of the Usage Agreement if the policy has more than one. The agreement with the highest priority is shown first, and then the one with the next highest priority, and so on.
Version – Version number.
Click Save when finished.
When a person to whom the policy applies logs in for the first time after the user agreement is in place, they must agree to the content of the user agreement before they can access the site.
Â