When users select a new password with Hitachi ID Bravura Pass -- either using its web portal or by changing their password natively on a system that has been configured to trigger transparent password synchronization, Bravura Pass applies a site-defined set of password quality rules. Users are not allowed to select passwords that violate this policy.
The policy mechanism supports over 50 types of rules, including an unlimited-length history, word and permutation checks against various dictionaries and checks against the user ID and its permutations. Regular expression matching is also supported so that Hitachi ID Systems customer can define its own rules if they are not supported in Bravura Pass.
When using the Bravura Pass web portal, password policy rules are displayed to the user on the screen where users are prompted to select a new password. Rule violations, if any, are detailed on the subsequent screen.
On most systems, where transparent password synchronization is configured, there is no way for Bravura Pass to display either password composition rules or informative messages about why a given password was rejected to the user. This is due to limitations in the native OS or application mechanism available to Bravura Pass to intercept password changes, rather than a limitation in Bravura Pass itself. Messages about why a given password was rejected can still be communicated, but only via a side channel, such as e-mail or SMS.
Learn more about the password strength rules that Bravura Pass can enforce.
A Global Policy
Bravura Pass is normally configured to enforce a uniform password policy across all systems, to ensure that any new password will be acceptable to every integrated system. This provides the most clear and understandable experience to users. Bravura Pass is configured such that it will never accept or propagate a password that will not meet this global password policy.
For instance, in the case of an organization that has both Windows Active Directory (AD) and z/OS passwords, where users may enter very long passwords on AD but only 8 characters on the mainframe, Bravura Pass can require that passwords be exactly 8 characters long. Alternately, Bravura Pass can support longer passwords, but truncate them when it updates the mainframe (users generally prefer a fixed length, as it is easier to understand).
All systems enforce two types of password rules:
- Complexity requirements ensure that users do not select
easily-guessed passwords. Example rules are: disallowing
any permutation of the user's login ID, password history,
requiring mixed letters and digits, forbidding dictionary
- Character set and length limits on what can be physically stored in the password field on a given system.
A global password policy is normally created by combining and strengthening the best-of-breed complexity requirements from each system affected by the policy. Bravura Pass then combines these with the most restrictive storage constraints. This forces users to select strong, secure passwords on every system.
The alternative, of defining different password policies for every target system or for groups of target systems, is less user friendly. To update their passwords, users must select a system, choose a password, wait for the password update to complete, choose another system, select and input a different password, etc. Users must then remember multiple passwords and will continue to experience many password problems. It has been shown that users with many passwords have a strong tendency to write down their passwords.
Support for Incompatible Policies
Normally, it is desirable to have a single, global password policy. This makes the user experience much simpler and encourages high user adoption.
In some cases, it is impossible to formulate a single, consistent password policy that works across two different systems. Typically this happens when one system requires strong security and complex passwords, while another system simply cannot support complex passwords.
Examples of weak systems include legacy applications that use very short passwords or numeric PINs, voice mail passwords, etc.
Systems with a moderate password complexity capability typically include mainframes and database servers.
Systems with a strong password complexity capability typically include Active Directory, LDAP directories and modern implementations of Unix.
If some systems have mutually exclusive password complexity capabilities, they can be grouped into mutually-compatible sets, and each set of systems is configured in its own Bravura Pass target group. Note that multiple Bravura Pass target groups can co-exist on a single Bravura Pass instance and do not require separate maintenance. Configuration is just a few minutes.
Each Bravura Pass target group can support its own set of password policies, as well as policies regarding transparent password synchronization.
When users choose to change their passwords, they must first select a target group in the Bravura Pass user interface. Subsequently, appropriate policy information is displayed and enforced.
Clearly, it is preferable to formulate a single password policy for all systems whenever possible, to eliminate the password complexity which Bravura Pass is designed to address in the first place.
List of Rules
Following is a list of password strength rules that can be enforced by Bravura Pass: