Chapter 19. Policy: Defining Password Policies
19.1. About Password Policies and Policy Attributes
- Strength or complexity requirements
- Account lockout
Table 19.1. Password Policy Settings
|Configuration Property||Command-Line Option||Description|
|Options for both the UI and CLI|
|Minimum Password Lifetime||--minlife||Sets the minimum period of time, in hours, that a user's password must be in effect before the user can change it. This can prevent a user from changing a password and then immediately changing it to the original value. The default value is one hour.|
|Maximum Password Lifetime||--maxlife||Sets the maximum period of time, in days, that a user's password can be in effect before it must be changed. The default value is 90 days.|
|Minimum Number of Character Classes||--minclasses|| Sets the minimum number of different classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to 3 requires that any password must have characters from at least three categories in order to be approved. The default value is zero (0), meaning there are no required classes.
There are six character classes:
|Minimum Length of Password||--minlength||Sets the minimum number of characters for a password. The default value is eight characters.|
|Password History||--history|| Sets the number of previous passwords that are stored and which a user is prevented from using. For example, if this is set to ten, IdM prevents a user from reusing any of their previous ten passwords. The default value is zero (0), which disables password history.
Even with the password history set to zero, users cannot reuse a current password.
|Options for the CLI only|
|Priority||--priority|| Sets the priority which determines which policy is in effect. The lower the number, the higher priority.
Although this priority is required when the policy is first created in the UI, it cannot be reset in the UI. It can only be reset using the CLI.
|Maximum Consecutive Failures||--maxfail||Specifies the maximum number of consecutive failures to input the correct password before the user's account is locked.|
|Fail Interval||--failinterval||Specifies the period (in seconds) after which the failure count will be reset.|
|Lockout Time||--lockouttime||Specifies the period (in seconds) for which a lockout is enforced.|