Password
This table lists the policy parameters specific to passwords.
In addition to the policy parameters defined in this table, the policy parameter defined in [the table] is also valid for password credentials.
| Name | Data Type, Values | Default | Description |
|---|---|---|---|
| allowLoginIdInPassword | Data type: boolean | true | Determines whether the password may contain the user login ID. A case-insensitive check is performed upon creation. |
| checkDictionary | Data type: boolean | true | Determines whether to look up the password in the dictionary (see the chapter Password dictionary) upon creation. |
| credentialLifetime | Data type: long (>0) | 10 years in milliseconds | The time to live (in milliseconds) of the password credential. After the defined period of time, the user will not be able to log in with this password anymore. |
| hashAlgorithm | Data type: enum Values: bcrypt, SSHA256, SSHA | SSHA256 | Defines the hash algorithm used for password hashing. Supported are salted SHA-1 (SSHA), salted SHA-256 (SSHA256) and bcrypt (bcrypt).nevisIDM 2.21.2.0, SSHA has been marked as deprecated because collision attacks faster than brute force attacks have been found. Additionally, the default of nevisIDM has changed to SSHA256. Note that changing this parameter is fully backward compatible. Only newly created passwords are hashed with the defined algorithm. |
| hashAlgorithm.bcrypt.cost | Data type: int | 12 | The cost factor defines how many rounds should be used to create a bcrypt hash. The cost factor should be chosen according to the hardware used and may have to be adjusted over time. The computing time grows exponentially with the cost factor. (2cost iterations). |
| initialPwchangePeriod.adminChanged | Data type: long | -1, which means unlimited | Defines the number of milliseconds within which a user has to change his password after an administrator change. Only effective when initialPwchangeRequired=true. |
| initialPwchangePeriod.initial | Data type: long | -1, which means unlimited | Defines the number of milliseconds within which a user has to change his initial password. Only effective when initialPwchangeRequired=true. |
| initialPwchangePeriod.resetCode | Data type: long | -1, which means unlimited | Defines the number of milliseconds within which a user has to change his password after a password reset. |
| initialPwchangeRequired | Data type: boolean | true | If this parameter is true and the state of a password is "initial" or "set by administrator", the user will be forced to change it after the next login. |
| lockDisabledForPasswordChangeFailure | Data type: boolean | false | If this parameter is true, the system will not lock the user account, no matter how often the user has entered the wrong account password. |
| maxCharacterRepetitions | Data type: int | 4 | Maximum length of the longest substring made of identical characters. The value should be more than 0. Example: maxCharacterRepetitions=2 then password "cool" is allowed, but "coool" is not allowed |
| maxCredFailureCount | Data type: int (>0) or -1 | 3 | Maximum number of login failures before a password is definitely locked. If set to "-1", the max. failure counter is disabled. |
| maxCtrl | Data type: int | 0 | Maximum number of control characters such as backspace, NUL, etc. |
| maxLength | Data type: int | 30 | Maximum length of a password. |
| maxNonAscii | Data type: int | 0 | Maximum number of non-ASCII characters like umlauts. Some of these characters can be difficult to enter on certain keyboards. |
| maxNonGraph | Data type: int | 0 | Maximum number of non-printing characters such as exotic whitespace, etc. |
| maxResetCount | Data type: int | 3 | Maximum number of password resets before the user needs to call an administrator to set a new password. If you set the number to -1, the check is disabled. |
| minHistoryEntries | Data type: int | 10 | This parameter defines the number of passwords that are included in the password history check. Whenever a user changes his password, the system compares this new password with the last minHistoryEntries passwords on the user's list of "old" passwords (password history entries). It is not allowed for the new password to equal one of the last minHistoryEntries passwords on the list. In this case, the user must choose another password."Minimum" or "min" in this context refers to the minimum number of password entries that the user has to go back on his password history list until he is allowed to re-use an "old" password. |
| minHistoryTime | Data type: long | 86'400'000 (1 day) | This parameter defines the time period covered by the password history check, in milliseconds. Whenever a user changes his password, the system compares this new password with all passwords he created within the last minHistoryTime milliseconds (e.g., within the last 86'400'000 milliseconds, which means within the last day). It is not allowed for the new password to equal one of these previous passwords. In this case, the user must choose another password."Minimum" or "min" in this context refers to the minimum period of time that the user has to go back in his password history until he is allowed to re-use an "old" password. E.g., if the minHistoryTime is one day (86'400'000 milliseconds), the user may only re-use passwords from his password history list that are at least one day old. |
| minLength | Data type: int | 4 | Minimum length of a password. |
| minLower | Data type: int | 0 | Minimum number of lower-case characters. |
| minNonAlnum | Data type: int | 0 | Minimum number of characters that are neither letters nor numbers. |
| minNonLetter | Data type: int | 1 | Minimum number of characters that are not letters. |
| minNumeric | Data type: int | 0 | Minumum number of numeric characters (numbers). |
| minUpper | Data type: int | 0 | Minimum number of upper-case characters. |
| maxCredSuccessCount | Data type: int | -1, which means unlimited | Maximum number of successful logins before the credential is disabled. |
| notificationEnabled | Data type: boolean | false | Enables user notification (e-mail, SMS, PDF), even if resetCodeLen1=0. If the parameter is set to "false" and resetCodeLen1=0, no e-mail/PDF will be generated. |
| passwordLifetime | Data type: long (>0) | 115 days in milliseconds | Lifetime of a password in milliseconds before a password change is forced. The parameter will be read from the policy at every login, i.e., modifications to the parameter will take effect immediately. |
| resetCharacterSet | Data type: String | 0123456789abcdefghijklmnopqrstuvwxzy ABCDEFGHIJKLMNOPQRSTUVWXYZ | The characters used when generating the password. Example without similar looking characters:23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ |
| resetCodeEnabled | Data type: boolean | false | Enable/disable the reset code feature. |
| resetCodeLen0 | Data type: int | 15 | Length of the first part of a reset code. This part is returned to the caller in the response (SOAP interface) or shown to the administrator (web GUI). |
| resetCodeLen1 | Data type: int | 15 | Length of the second part of a reset code. This part is communicated to the credential's user. |
| securePasswordChangeDisabled | Data type: boolean | false | Allows or disallows changes to the password via SelfAdmin service without knowing the old one. If enabled, this can be a cross-site request forgery vulnerability. If you enable this parameter, make sure it is intended behavior. In this case, we recommend that you enable the CSRFFilter of nevisProxy. |
| sendingMethod | Data Type: comma-separated list of enums Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, None OR PDFstream alone | Defines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on). Method "Email" will fail if the user has no e-mail address or the address is invalid. Method "SMS_SMTP" will fail if the user has no mobile number or the mobile number is invalid. All methods (except None) will fail if the corresponding template is missing or one or more of the mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks. Special sendingMethod for GUI: "PDFstream"This sendingMethod cannot be part of a fallback list. After password creation or reset, a transient link appears in the CredentialModify view on the GUI. The link can be used to download the communication PDF. If there is an error at PDF generation, the password's plain value will be lost, rendering the credential unusable for the owner. The same happens when the user leaves the view without clicking on the link. If "PDFstore" is configured, the following additional parameters can be defined:
SMS_SMTP.smtp.port (mandatory): port of the SMTP server. SMS_SMTP.message.from (mandatory): Sender of the SMS message. It has to be a valid e-mail address. SMS_SMTP.message.to (mandatory): Receiver of the SMS message. It has to contain the "${phonenumber}" placeholder. For example: ${phonenumber}@sms.mycompany.ch. SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway.
| |
| templatePrecedence | Data type: int | null | The precedence number of the template we want to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur. |
| tmpLockingDuration | Data type: long | 60000 | Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value. |
| tmpLockingMode | Data type: String Values: strict, threshold | strict |
threshold: The user can always try "tmpLockingThreshold" times to log in before the next temporary locking period activates. |
| tmpLockingThreshold | Data type: int (>0) or -1 | 2 | Number of login failures before a password is temporarily locked. If set to "-1", the temporary lock is disabled. |
| useAdminChangedStateForForeignPasswordChange | Data type: boolean | true | If set to true, the password will have the state "changed by admin" after reset or creation. If set to false, the state will be "active". This does not apply if the state was explicitly set during the creation of the password credential. Note: this only takes effect when set via web service and the credential state has not been set. It does not take effect when setting via the GUI. |
Password dictionary
nevisIDM can be configured to check passwords against a dictionary (see the parameter checkDictionary in the previous table). When enabled, this check will search the password in the dictionary and, if the password is found therein, refuse it.
This is a way to refuse common (unsafe) passwords ("123456" or words from the English language like "love", "sex", "secret" and "god").
The wordlist in nevisIDM's dictionary is based on the free public Openwall wordlist available on Openwall. Our version includes the English extended, German, Italian and French lists and the common passwords list. For instructions on how to set up your database with this dictionary, see the chapter Database Preparing.
Dictionary customization
You can extend the password dictionary with your own entries.
Passwords are converted to lowercase before checking against the dictionary for disk space reasons. So if you extend the dictionary yourself, make sure that all letters in new entries are in lowercase. This way, "Cats" "CaTs" and "CATS" will all be refused if the dictionary contains "cats". Careful: If you enter "Cats" into the dictionary, none of the above passwords would be refused, not even "Cats".
To add a new entry into the dictionary, use this SQL command structure:
insert into tidmr_password_dictionary values (<ID>, <entry>);
For example, to add "cats" to the dictionary, use
insert into tidmr_password_dictionary values (1234,"cats");
You may have to add a commit;-command, depending in your autocommit settings.