Password policies help you define the structure and complexity of passwords to be used. You can either make use of the predefined policies or create new policies to suit the needs of your organization. Once you define the policy, PAM360 enforces that policy and reports on violations. The inbuilt password generator will generate passwords based on the policy defined.
- Default Password Policies
- Customizing Password Policies
- Creating your Own Password Policy
- Applying Password Policy to Resources in Bulk
- Enforcing Password Policy during Resource/Account Creation
- Enforcing Password Policy from General Settings
1. Default Password Policies
Password policy for PAM360 can be centrally managed from the Admin tab, Admin >> Resource Config >> Password policies. By default, PAM360 lists four policies and these policies cannot be edited or deleted. The default policies are:
- Low - Password with less strict constraints.
- Medium - Password with few strict constraints.
- Strong - Password with strict constraints.
- Offline password file - Policy for offline password access.
- Navigate to Admin >> Resource Config >> Password policies.
- You can select any of the policy as default policy by selecting the set as default icon against the desired policy.
- After setting default policy, if a user tries to change the password, the default policy will be enforced and the user will be forced to enter a password as per the policy.
3. Creating your Own Password Policy
- Navigate to Admin >> Resource Config >> Password policies.
- Click Add policy.
- Enter the Policy Name and Description. You can also select from the existing templates and apply them here.
- Under Range & Character Set:
- Mention the Minimum (4) and Maximum (255) Length of the password.
- Select Enforce Numerals and mention the Minimum Count of numerals to be used in the password.
- Select Enforce Mixed Case and mention the Minimum Upper Case and Minimum Lower Case letters to be used in the password.
- Select Enforce Special Characters and mention the Minimum Count of characters to be used in the password. You can also mention the Characters not Allowed in the password.
- Under Words Usage:
- Select the checkbox, Password should not contain dictionary words to not allow dictionary words as the password. Example: apple, ranger, etc.
- You can also choose from the existing dictionaries. Click Manage to manage the dictionary files.
- In the pop-up that appears, mention Dictionary name, select the dictionary file (.txt) to be imported and click Add. You can add upto 5 dictionaries. Click here to download some of the recommended dictionaries.
- Select the checkbox Password should not contain obvious substitutions to not allow obvious substitutions. Example: @pple, r4nger, etc.
- Select the checkbox Enforce starting with an alphabet to allow only the passwords that begins with an alphabet. Example: Awed28.
- Select the checkbox Password should not contain login name to not allow username as password.
- Select the checkbox Password should not be an anagram of the login name to not allow password that is an anagram of username. Example: username: admin; password: dmain.
- Select the checkbox Password should not contain repeated substring to not allow password with repeated substrings. Example: testtest.
- Under Sequences:
- Select Password should not contain sequences of length to not allow a password with sequences and mention the sequence length.
- Select the checkbox to not allow Alphabet Sequence and their reverse as the password. Example: abcd, hgfe, etc.
- Select the checkbox to not allow Keyboard Sequence as the password. Click Change Layout to choose the layout of the keyboard. Example: qwerty, asdfg etc.
- Select the checkbox to not allow Numeric Sequence and their reverse as the password. Example: 1234,8765, etc.
- Select the checkbox to not allow Consecutive Sequence of letters, numbers or symbols as the password. Example: aaa, 111, &&&, etc.
- Under Password Similarity:
- Select Password should not be same as last to not allow previously used passwords. You can restrict upto ten (10) previous passwords.
- Select Password should not be very similar to last to not allow password similar to previously used passwords. You can check with upto ten (10) previous passwords. Example: anem28, bnem28.
- Under Password Age:
- and mention the number of days after which the password should expire.
- Click Generate Password icon to generate a sample password with the selected constraints.
- Click Preview. A pop-up appears displaying the selected password constraints.
- Click Save.
Now, you have successfully created your own password policy based on your requirement.
4. Applying Password Policy to Resources in Bulk
- Navigate to Resources tab.
- Select the resources for which you wish to apply the same password policy.
- Click Resource Actions and select Associate Password Policy from the dropdown.
- In the pop-up form that appears, select the Password policy to be applied to the chosen resource(s) from the drop down and Click Save.
After the completion of selection of password policy, the chosen password policy will be applied to all the selected resources in bulk. In case, any of the chosen resources had already been with a password policy, this action would simply overwrite the previous policy.
5. Enforcing Password Policy during Resource/Account Creation
In normal scenarios, PAM360 can check the passwords stored in the repository for compliance to the policy specified and report violations. If you want to enforce the password policy at the time of creation itself, you need to switch on a configuration in General Settings. To know more about general settings, click here.
6. Enforcing Password Policy from General Settings
- Navigate to Admin >> Settings >> General settings.
- In the UI that opens with a list of options, select Resource / Password creation from the left pane.
- By default password policy gets enforced only at the time of password change. If you wish to enforce policy compliance at the time of resource or account addition itself, then click the checkbox Enforce password policy during resource or password creation.
- Once you click this, you will be permitted to add your resource or account only if the password is in accordance with the policy defined.