Identity Source: Password Policy
Use the Security > Identity Source > Password Policy menu items to configure complex password requirements for local users. This section includes the following topics:
- System Manager local user password policy overview
- Setting password policy
- Local user password complexity enforcement details
- Local user password strength enforcement details
System Manager local user password policy overview
You can specify the password policy for System Manager local users.
The password policy includes the following:
-
Enforcement type, which is one of the following:
-
Ivanti EPMM enforces the password complexity or strength when:
- You add a new local user in the System Manager.
- Local users change their password.
-
Number of failed attempts
After the local user fails to enter the correct password after the specified number of attempts, Ivanti EPMM does not allow the user to login until the specified auto-lock time has expired.
-
Password history enforcement
When you enforce password history, local users cannot use the previous 4 passwords when changing their password.
Local user password complexity enforcement
You can enforce password complexity requirements on local user passwords. Complex requirements prevent local users from using passwords that are weak and therefore easy to guess. However, requirements that are too complex make using the user ID and password inconvenient for the user because they have to enter a more complicated or longer password. Therefore, when you choose the complexity requirements, consider both your security needs and you local user convenience.
You specify the following password complexity requirements:
-
Minimum and maximum password length
-
Minimum number of character classes in a password
Character classes are:
- Lower case alphabetic characters
- Upper case alphabetic characters
- Numeric characters 0 through 9
- Special characters, which are ! = ( { [ _ : - ; ~ , ) } ] @ # ^ | $
In addition to the requirements that you specify, Ivanti EPMM enforces the following requirements:
- The password cannot have a Grave accent (back tick) character.
- The password cannot contain the space character.
- The password cannot have 4 or more repeating characters.
- The password cannot be the same as the user ID.
Local user password strength enforcement
You can specify the local user password strength to enforce how strong a password must be. Setting the password strength prevents local users from using passwords that are weak and therefore easy to guess. However, setting the password strength too high makes using the user ID and password inconvenient for the user because they have to enter a more complicated or longer password. Therefore, when you choose the password strength requirement, consider both your security needs and your local user convenience.
In addition to your specified password strength, the System Manager enforces the following requirements:
- The password cannot have a Grave accent (back tick) character.
- The password cannot contain the space character.
- The password length must be 128 or less.
- The password cannot be the same as the user ID.
Setting password policy
Procedure
To set the password policy for System Manager local users:
- Log into System Manager.
- Select Security > Identity Source > Password Policy.
-
Select one of these options:
-
Enable Password Complexity Enforcement
Modify one or more of the default fields, as necessary. See System Manager local user password policy overview.
-
Enable Password Strength Enforcement
Modify one or more of the default fields, as necessary. See Local user password strength enforcement details.
-
- Click Apply > Yes > OK.
- Click Reset to Default followed by OK to reset the password policy to the default values.
Changing the password policy or resetting to default values can result in local users being disconnected or cause a disruption in service.
Local user password complexity enforcement details
The following table summarizes the fields of the System Manager local user password policy when using password complexity enforcement:
Field |
Description |
Default value |
Enable Password Complexity Enforcement |
Select this field when you want to apply password complexity requirements to local user passwords. |
Selected |
Minimum number of character classes in password |
This field is only available when you selected Enable Password Complexity Enforcement. Select the minimum number of different character classes (lower case, upper case, numeric, and special character) that you require in a password. For each character class, you select whether it counts towards the minimum number. The minimum number must be less than or equal to the number of character classes you select. For example, if the minimum number of character classes is 2, you can select 2 or more of the character classes. In this case, if you select Lower Case, Upper Case, and Numeric, the password must contain at least 2 of those character classes. |
3 |
Lower Case |
Select this option if the lower case character class counts towards the minimum number of character classes that you require in a password. The lower case character class includes the lower case alphabetic characters ‘a’ through ‘z’. |
Selected |
Upper Case |
Select this option if the upper case character class counts towards the minimum number of character classes that you require in a password. The lower case character class includes the upper case alphabetic characters ‘A’ through ‘Z’. |
Selected |
Numeric |
Select this option if the numeric character class counts towards the minimum number of character classes that you require in a password. The numeric character class includes the characters ‘0’ through ‘9’. |
Selected |
Special Character |
Select this option if the special character class counts towards the minimum number of character classes that you require in a password. The special character class includes these characters: ! = ( { [ _ : - ; ~ , ) } ] @ # ^ | $ |
Not selected |
Min Password Length |
Select the minimum number of characters in a password. Valid values are 6 through 16. |
8 |
Max Password Length |
Select the maximum number of characters in a password. Valid values are 21 through 128. |
32 |
Number of Failed attempts |
Specify the number of failed attempts that a local user can make when entering his password. After this number of attempts, Ivanti EPMM does not allow the user to login until the specified auto-lock time has expired. After the auto-lock time expires, each failed login attempt results in Ivanti EPMM not allowing the user to login until the auto-lock time expires again. Valid values are 1 through 16. |
5 |
Auto-Lock Time |
Specify how much time in seconds the local user must wait before he can log in after exceeding the number of failed attempts. Valid values are 0 through 3600 seconds. |
30 |
Enforce Passcode History (Last 4 passwords) |
Select Enable if you do not want to allow a local user to use the previous 4 passwords when changing his password. To allow a local user to use the previous 4 passwords, select Disable. |
Enable |
Local user password strength enforcement details
The following table summarizes the fields of the System Manager local user password policy when using password strength enforcement:
Field |
Description |
Default value |
Enable Password Strength Enforcement |
Select this field when you want to apply password strength requirements to local user passwords. |
Not selected |
Number of Failed attempts |
Specify the number of failed attempts that a local user can make when entering his password. After this number of attempts, Ivanti EPMM does not allow the user to login until the specified auto-lock time has expired. After the auto-lock time expires, each failed login attempt results in Ivanti EPMM not allowing the user to login until the auto-lock time expires again. Valid values are 1 through 16. |
5 |
Auto-Lock Time |
Specify how much time in seconds the local user must wait before he can log in after exceeding the number of failed attempts. Valid values are 0 through 3600 seconds. |
30 |
Enforce Passcode History (Last 4 passwords) |
Select Enable if you do not want to allow a local user to use the previous 4 passwords when changing his password. To allow a local user to use the previous 4 passwords, select Disable. |
Enable |
Password Strength |
Select a value between 0 and 100, where 0 is the weakest requirement, and 100 is the strongest requirement. You can enter a value or move the slider. For details, see Local user password strength value descriptions. |
35 |
Local user password strength value descriptions
The following table describes the System Manager local user password strength values:
Strength value |
Description |
Examples |
0 - 20 |
Weak: risky password |
|
21 - 40 |
Fair: protection from throttled online attacks Throttled online attacks are attacks to guess the passcode which are:
Rate-limited attacks are limited to some number of attempts per time period. |
|
41 - 60 |
Good: protection from unthrottled online attacks Unthrottled online attacks are attacks to guess the passcode which are:
|
|
61 - 80 |
Strong: moderate protection from offline slow-hash scenario An offline slow-hash scenario is a sophisticated algorithm for guessing a passcode. The algorithm runs offline from the device after copying passcode-related files from the device. |
|
81 - 100 |
Very strong: strong protection from offline slow-hash scenario |
|