• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Access Manager
  • Download evaluation
  • Savings Calculator
  • Releases
  • Suite 8.0 New Features
  • CCC
• Solutions
  • Security / GRC
  • Reducing IT support cost
  • Improve user service
• Support
  • Shipping products
  • Supported versions
  • Portal login
  • Report problem
• Services
  • Solution delivery
  • Methodology
  • Education
  • Upgrades
  • AdMax Program
  • Hitachi ID Systems-Managed IAM
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Channel Partners
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Online partner application

Security Secure password management Password Policy Enforcement

Password policy enforcement with Hitachi ID Password Manager

Password Strength Rules

Following is the complete list of password strength rules that can be enforced by Hitachi ID Password Manager (formerly P-Synch):

Password strength rules
Rule name	Type	Description
(1)% Minimum length	Req/Warn	The smallest number of characters that a legal password can contain.
Maximum length	Req/Warn	The largest number of characters that a legal password can contain.
Require mixed case?	Req/Warn	Enable if passwords should contain both uppercase and lowercase characters.
Maximum no. of lower-case letters	Req/Warn	The largest number of lower-case letters that a legal password can contain.
Maximum no. of upper-case letters	Req/Warn	The largest number of upper-case letters that a legal password can contain.
Minimum no. of punctuation marks	Req/Warn	The smallest number of punctuation marks that a legal password can contain.
Maximum no. of punctuation marks	Req/Warn	The largest number of punctuation marks that a legal password can contain.
Minimum no. of inside punctuation marks	Req/Warn	Same as minimum punctuation marks, but not counting the first or last character of the password.
Minimum no. of letters	Req/Warn	The smallest number of letters that a password can contain.
Start with a letter?	Req/Warn	Enable to require all passwords to start with a letter. Useful for compatibility with some systems.
Minimum no. of digits	Req/Warn	The smallest number of digits that a legal password can contain.
Minimum no. of digits inside	Req/Warn	Same as minimum digits, but not counting the first or last character of the password.
No words from the (provided) dictionary	Req/Warn	The password, stripped of non-letter characters, may not match a word (consisting of four or more letters) from the dictionary. This is case-insensitive.
No exact word match from the dictionary.	Req/Warn	A password may not exactly match a dictionary word consisting of four or more letters. This is case-insensitive.
No words from dictionary contained within password	Req/Warn	A password, stripped of non-letter characters, may not contain a dictionary word. This is case-insensitive.
No rearranged words from this dictionary	Req/Warn	A password, stripped of non-letter characters, may not be a dictionary word with the letters rearranged. This is case-insensitive.
Not the user name?	Req/Warn	The user's name may not be used as the new password.
Not the user name backwards?	Req/Warn	Same as above, but with the letters in the name reversed.
Does not contain the user name?	Req/Warn	The user's name may not form part of the new password.
Does not contain the user name backwards?	Req/Warn	Same as above but with the letters in the name reversed.
Not a rearranged user name?	Req/Warn	Same as above but with the letters in the name rearranged in any way.
Does not match the first N characters of the user name?	Req/Warn	The new password may not contain the specified number of characters that begin the user name
Offer the user N random passwords	Req/Warn	Display N randomly-selected passwords, as suggestions or (if required) the user must choose one of them.
Maximum number of character pairs	Req/Warn	The maximum number of pairs of the same character appearing consecutively in new, legal password values.
Require password to be approved by this plug-in	On/Off	An external program is called, to verify that a password is acceptable.
Warn if the password was not approved by this plug-in	On/Off	An external program is called, to verify that a password is desirable or not.
Mainframe compatible (8 chars; alpha/num or @$#)	Req/Warn	Intended for mainframe compatibility.
Password rules apply to the first N characters of the password	On/Off	Apply all other rules to a truncated version of the password typed by the user.
Record old passwords - never reuse them (password history)	Req/Warn	New passwords may not be the same as passwords that appear in a history file.
Store new password hash in history on successful change/reset	Req/Warn	Enforce password history by storing hashes of old passwords. Users will not be able to reuse old passwords.
Allow old passwords after N days	Req/Warn	When enforcing no-reuse of passwords, disregard older passwords.
Prompt users to change passwords every N days	Req/Warn	Prompt the user to change passwords every N days, based on most recent Password Manager password change. Typically via e-mail -- see notification configuration.
Regular expressions	Req/Warn	Passwords may (not) match string patterns.

 

Unlimited Password History

In Password Manager, password history is "infinite" by default. Unless specifically allowed, users are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time interval, rather than the number of intervening password changes. Password history is stored in a one-way, non-reversible hash (SHA-1 plus 64-bit random salt).

Password Aging / Expiration

To enforce password expiration and to get users to trigger web-based password synchronization, Password Manager is configured to detect upcoming password expiration on individual systems (e.g., Windows or NetWare servers, LDAP directories) and to prompt users to change all of their passwords at once with the Password Manager web GUI, rather than one system at a time with native password change screens.

Typically password expiration is configured so that users change their passwords with the Password Manager web portal on a shorter schedule than any other application or system password. This way, users are never prompted to change passwords by anything other than either the Password Manager web portal or systems that automatically trigger Password Manager transparent password synchronization.

Early notification of upcoming password expiration is a viable alternative to transparent password synchronization, especially in cases where it is impossible to trigger synchronization from the primary login system that users most often use.

Users can be notified of upcoming password expiration by e-mail. Alternately, a small client program can be added to global network login scripts, which checks whether the user currently logging in is on the list of "soon to expire" users and if so opens the user's default web browser to a URL that asks the user to change his passwords with the Password Manager web portal.

Users can be forced to change their passwords when they sign into the network, by opening a kiosk-mode web browser to the password change web portal and requiring the user to change passwords before they can close this browser.

The timing of password expiration can be calculated based on the most recent password change a user made through Password Manager or natively.

© Hitachi ID Systems, Inc. . All rights reserved.