Local user password strength enforcement details

The following table summarizes the fields of the local user password policy when using password strength enforcement:

Table 12.   Fields for local user password strength enforcement
Field Description Default value

Enable Password Strength Enforcement

Select this field when you want to apply password strength requirements to local user passwords.

Not selected

Number of Failed attempts

Specify the number of failed attempts that a local user can make when entering his password.

After this number of attempts, Ivanti does not allow the user to login until the specified auto-lock time has expired. After the auto-lock time expires, each failed login attempt results in Ivanti not allowing the user to login until the auto-lock time expires again.

Valid values are 1 through 16.

5

Auto-Lock Time

Specify how much time in seconds, minutes, hours, or days the local user must wait before he can log in after exceeding the number of failed attempts.

Valid values are 0 through 3600 seconds (60 minutes).

30 seconds

Enforce Passcode History (Last 4 passwords)

Select Enable if you do not want to allow a local user to use the previous 4 passwords when changing his password.

To allow a local user to use the previous 4 passwords, select Disable.

Enable

Password Strength

Select a value between 0 and 100, where 0 is the weakest requirement, and 100 is the strongest requirement.

You can enter a value or move the slider.

For details, see Local user password strength value descriptions.

35

Local user password strength value descriptions

The following table describes the local user password strength values:

Table 13.   Local user password strength value descriptions
Strength value Description Examples

0 - 20

Weak: risky password

  • Few characters: ;">zxcvbn
  • Sequences: ;">abcdefghijk987654321
  • Names: ;">briansmith4mayor
  • Words: ;">viking
  • Words with number substitutions: ;">ScoRpi0ns

21 - 40

Fair: protection from throttled online attacks

Throttled online attacks are attacks to guess the passcode which are:

  • on the device
  • rate-limited

Rate-limited attacks are limited to some number of attempts per time period.

  • Few characters but with special characters: ;">[email protected]!
  • Words plus numbers: ;">temppass22
  • Names plus numbers: ;">ryanhunter2000
  • Words with special character and number substitutions: ;">R0$38uD99
  • Names with capitalization: ;">verlineVANDERMARK

41 - 60

Good: protection from unthrottled online attacks

Unthrottled online attacks are attacks to guess the passcode which are:

  • on the device
  • not rate-limited
  • Longer words with special character and number substitutions: ;">Tr0ub4dour&3
  • Longer phrases with numbers and special characters: neverforget13/3/1997
  • Longer letter, number, and special character combinations: ;">asdfghju7654rewq, AOEUIDHG&*()LS

61 - 80

Strong: moderate protection from offline slow-hash scenario

An offline slow-hash scenario is a sophisticated algorithm for guessing a passcode. The algorithm runs offline from the device after copying passcode-related files from the device.

  • Longer random letters and numbers:

    • zevusqr3
    • resqu3Wil
    • tgbvdnjuk
  • Longer phrases with numbers and special characters: Compl3xChar$

81 - 100

Very strong: strong protection from offline slow-hash scenario

  • Very long random characters:

    • eheuczkqyq
    • rWibMFACxAUGZmxhVncy
    • Ba9ZyWABu99[BK#6MBgbH88Tofv)vs$w
  • Long phrases: ;">correcthorsebatterystaple
  • Long phrases with substitutions: coRrecth0rseba++ery9.23.2007staple$