Security Secure Password Management Password Policy Enforcement
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Password Policy Enforcement - Hitachi ID Password Manager

Password Strength Rules

Following is the complete list of password strength rules that can be enforced by Hitachi ID Password Manager:

    Password strength rules

Rule name Type Description
(1)% Minimum length

Req/Warn

The smallest number of characters that a legal password can contain.
Maximum length

Req/Warn

The largest number of characters that a legal password can contain.
Require mixed case?

Req/Warn

Enable if passwords should contain both uppercase and lowercase characters.
Maximum no. of lower-case letters

Req/Warn

The largest number of lower-case letters that a legal password can contain.
Maximum no. of upper-case letters

Req/Warn

The largest number of upper-case letters that a legal password can contain.
Minimum no. of punctuation marks

Req/Warn

The smallest number of punctuation marks that a legal password can contain.
Maximum no. of punctuation marks

Req/Warn

The largest number of punctuation marks that a legal password can contain.
Minimum no. of inside punctuation marks

Req/Warn

Same as minimum punctuation marks, but not counting the first or last character of the password.
Minimum no. of letters

Req/Warn

The smallest number of letters that a password can contain.
Start with a letter?

Req/Warn

Enable to require all passwords to start with a letter. Useful for compatibility with some systems.
Minimum no. of digits

Req/Warn

The smallest number of digits that a legal password can contain.
Minimum no. of digits inside

Req/Warn

Same as minimum digits, but not counting the first or last character of the password.
No words from the (provided) dictionary

Req/Warn

The password, stripped of non-letter characters, may not match a word (consisting of four or more letters) from the dictionary. This is case-insensitive.
No exact word match from the dictionary.

Req/Warn

A password may not exactly match a dictionary word consisting of four or more letters. This is case-insensitive.
No words from dictionary contained within password

Req/Warn

A password, stripped of non-letter characters, may not contain a dictionary word. This is case-insensitive.
No rearranged words from this dictionary

Req/Warn

A password, stripped of non-letter characters, may not be a dictionary word with the letters rearranged. This is case-insensitive.
Not the user name?

Req/Warn

The user's name may not be used as the new password.
Not the user name backwards?

Req/Warn

Same as above, but with the letters in the name reversed.
Does not contain the user name?

Req/Warn

The user's name may not form part of the new password.
Does not contain the user name backwards?

Req/Warn

Same as above but with the letters in the name reversed.
Not a rearranged user name?

Req/Warn

Same as above but with the letters in the name rearranged in any way.
Does not match the first N characters of the user name?

Req/Warn

The new password may not contain the specified number of characters that begin the user name
Offer the user N random passwords

Req/Warn

Display N randomly-selected passwords, as suggestions or (if required) the user must choose one of them.
Maximum number of character pairs

Req/Warn

The maximum number of pairs of the same character appearing consecutively in new, legal password values.
Require password to be approved by this plug-in

On/Off

An external program is called, to verify that a password is acceptable.
Warn if the password was not approved by this plug-in

On/Off

An external program is called, to verify that a password is desirable or not.
Mainframe compatible (8 chars; alpha/num or @$#)

Req/Warn

Intended for mainframe compatibility.
Password rules apply to the first N characters of the password

On/Off

Apply all other rules to a truncated version of the password typed by the user.
Record old passwords - never reuse them (password history)

Req/Warn

New passwords may not be the same as passwords that appear in a history file.
Store new password hash in history on successful change/reset

Req/Warn

Enforce password history by storing hashes of old passwords. Users will not be able to reuse old passwords.
Allow old passwords after N days

Req/Warn

When enforcing no-reuse of passwords, disregard older passwords.
Prompt users to change passwords every N days

Req/Warn

Prompt the user to change passwords every N days, based on most recent Password Manager password change. Typically via e-mail -- see notification configuration.
Regular expressions

Req/Warn

Passwords may (not) match string patterns.

 

Unlimited Password History

In Password Manager, password history is "infinite" by default. Unless specifically allowed, users are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time interval, rather than the number of intervening password changes. Password history is stored in a one-way, non-reversible hash (SHA-1 plus 64-bit random salt).

Password Aging / Expiration

To enforce password expiration and to get users to trigger web-based password synchronization, Password Manager is configured to detect upcoming password expiration on individual systems (e.g., Windows, AD, LDAP, etc.) or based on the last time a user changed his passwords using Password Manager and to remind users to change their passwords using the Password Manager web UI.

Password expiration is normally configured so that users change their passwords with Password Manager web portal on a shorter expiry interval than the native password expiry on any system. This way, Password Manager prompts users to change passwords before any other system does and users are never prompted to change expired passwords by other systems or applications.

Early notification of upcoming password expiration is a viable alternative to transparent password synchronization, especially in cases where it is impossible to trigger synchronization from the primary login system that users most often use.

Users can be notified of upcoming password expiration by e-mail. Alternately, a small client program can be triggered at user login time, which checks whether the user currently logging in is on the list of "soon to expire" users and -- if so -- opens the user's default web browser to a URL that asks the user to change his passwords.

The same small program can be used to make the password change mandatory, by opening a kiosk-mode web browser to the password change web portal and requiring the user to change passwords before they can close this browser and access their desktop.