Identity Source: Password Policy

Use the Security > Identity Source > Password Policy menu items to configure complex password requirements for local users. This section includes the following topics:

System Manager local user password policy overview

You can specify the password policy for System Manager local users.

The password policy includes the following:

  • Enforcement type, which is one of the following:

  • Ivanti EPMM enforces the password complexity or strength when:

    • You add a new local user in the System Manager.
    • Local users change their password.
  • Number of failed attempts

    After the local user fails to enter the correct password after the specified number of attempts, Ivanti EPMM does not allow the user to login until the specified auto-lock time has expired.

  • Password history enforcement

    When you enforce password history, local users cannot use the previous 4 passwords when changing their password.

Local user password complexity enforcement

You can enforce password complexity requirements on local user passwords. Complex requirements prevent local users from using passwords that are weak and therefore easy to guess. However, requirements that are too complex make using the user ID and password inconvenient for the user because they have to enter a more complicated or longer password. Therefore, when you choose the complexity requirements, consider both your security needs and you local user convenience.

You specify the following password complexity requirements:

  • Minimum and maximum password length

  • Minimum number of character classes in a password

    Character classes are:

    • Lower case alphabetic characters
    • Upper case alphabetic characters
    • Numeric characters 0 through 9
    • Special characters, which are ! = ( { [ _ : - ; ~ , ) } ] @ # ^ | $

In addition to the requirements that you specify, Ivanti EPMM enforces the following requirements:

  • The password cannot have a Grave accent (back tick) character.
  • The password cannot contain the space character.
  • The password cannot have 4 or more repeating characters.
  • The password cannot be the same as the user ID.

Local user password strength enforcement

You can specify the local user password strength to enforce how strong a password must be. Setting the password strength prevents local users from using passwords that are weak and therefore easy to guess. However, setting the password strength too high makes using the user ID and password inconvenient for the user because they have to enter a more complicated or longer password. Therefore, when you choose the password strength requirement, consider both your security needs and your local user convenience.

In addition to your specified password strength, the System Manager enforces the following requirements:

  • The password cannot have a Grave accent (back tick) character.
  • The password cannot contain the space character.
  • The password length must be 128 or less.
  • The password cannot be the same as the user ID.

Setting password policy

Procedure 

To set the password policy for System Manager local users:

  1. Log into System Manager.
  2. Select Security > Identity Source > Password Policy.
  3. Select one of these options:

  4. Click Apply > Yes > OK.
  5. Click Reset to Default followed by OK to reset the password policy to the default values.

Changing the password policy or resetting to default values can result in local users being disconnected or cause a disruption in service.

Local user password complexity enforcement details

The following table summarizes the fields of the System Manager local user password policy when using password complexity enforcement:

Table 18.   System Manager local user password complexity enforcement fields

Field

Description

Default value

Enable Password Complexity Enforcement

Select this field when you want to apply password complexity requirements to local user passwords.

Selected

Minimum number of character classes in password

This field is only available when you selected Enable Password Complexity Enforcement.

Select the minimum number of different character classes (lower case, upper case, numeric, and special character) that you require in a password.

For each character class, you select whether it counts towards the minimum number. The minimum number must be less than or equal to the number of character classes you select.

For example, if the minimum number of character classes is 2, you can select 2 or more of the character classes. In this case, if you select Lower Case, Upper Case, and Numeric, the password must contain at least 2 of those character classes.

3

Lower Case

Select this option if the lower case character class counts towards the minimum number of character classes that you require in a password.

The lower case character class includes the lower case alphabetic characters ‘a’ through ‘z’.

Selected

Upper Case

Select this option if the upper case character class counts towards the minimum number of character classes that you require in a password.

The lower case character class includes the upper case alphabetic characters ‘A’ through ‘Z’.

Selected

Numeric

Select this option if the numeric character class counts towards the minimum number of character classes that you require in a password.

The numeric character class includes the characters ‘0’ through ‘9’.

Selected

Special Character

Select this option if the special character class counts towards the minimum number of character classes that you require in a password.

The special character class includes these characters:

! = ( { [ _ : - ; ~ , ) } ] @ # ^ | $

Not selected

Min Password Length

Select the minimum number of characters in a password. Valid values are 6 through 16.

8

Max Password Length

Select the maximum number of characters in a password. Valid values are 21 through 128.

32

Number of Failed attempts

Specify the number of failed attempts that a local user can make when entering his password.

After this number of attempts, Ivanti EPMM does not allow the user to login until the specified auto-lock time has expired. After the auto-lock time expires, each failed login attempt results in Ivanti EPMM not allowing the user to login until the auto-lock time expires again.

Valid values are 1 through 16.

5

Auto-Lock Time

Specify how much time in seconds the local user must wait before he can log in after exceeding the number of failed attempts.

Valid values are 0 through 3600 seconds.

30

Enforce Passcode History (Last 4 passwords)

Select Enable if you do not want to allow a local user to use the previous 4 passwords when changing his password.

To allow a local user to use the previous 4 passwords, select Disable.

Enable

Local user password strength enforcement details

The following table summarizes the fields of the System Manager local user password policy when using password strength enforcement:

Table 19.   System Manager local user password strength enforcement fields

Field

Description

Default value

Enable Password Strength Enforcement

Select this field when you want to apply password strength requirements to local user passwords.

Not selected

Number of Failed attempts

Specify the number of failed attempts that a local user can make when entering his password.

After this number of attempts, Ivanti EPMM does not allow the user to login until the specified auto-lock time has expired. After the auto-lock time expires, each failed login attempt results in Ivanti EPMM not allowing the user to login until the auto-lock time expires again.

Valid values are 1 through 16.

5

Auto-Lock Time

Specify how much time in seconds the local user must wait before he can log in after exceeding the number of failed attempts.

Valid values are 0 through 3600 seconds.

30

Enforce Passcode History (Last 4 passwords)

Select Enable if you do not want to allow a local user to use the previous 4 passwords when changing his password.

To allow a local user to use the previous 4 passwords, select Disable.

Enable

Password Strength

Select a value between 0 and 100, where 0 is the weakest requirement, and 100 is the strongest requirement.

You can enter a value or move the slider.

For details, see Local user password strength value descriptions.

35

Local user password strength value descriptions

The following table describes the System Manager local user password strength values:

Table 20.   System Manager local user password strength value descriptions

Strength value

Description

Examples

0 - 20

Weak: risky password

  • Few characters: zxcvbn
  • Sequences: abcdefghijk987654321
  • Names: briansmith4mayor
  • Words: viking
  • Words with number substitutions: ScoRpi0ns

21 - 40

Fair: protection from throttled online attacks

Throttled online attacks are attacks to guess the passcode which are:

  • on the device
  • rate-limited

Rate-limited attacks are limited to some number of attempts per time period.

  • Few characters but with special characters: qwER43@!
  • Words plus numbers: temppass22
  • Names plus numbers: ryanhunter2000
  • Words with special character and number substitutions: R0$38uD99
  • Names with capitalization: verlineVANDERMARK

41 - 60

Good: protection from unthrottled online attacks

Unthrottled online attacks are attacks to guess the passcode which are:

  • on the device
  • not rate-limited
  • Longer words with special character and number substitutions: Tr0ub4dour&3
  • Longer phrases with numbers and special characters:
    neverforget13/3/1997
  • Longer letter, number, and special character combinations:
    asdfghju7654rewq
    OEUIDHG&*()LS_

61 - 80

Strong: moderate protection from offline slow-hash scenario

An offline slow-hash scenario is a sophisticated algorithm for guessing a passcode. The algorithm runs offline from the device after copying passcode-related files from the device.

  • Longer random letters and numbers:
    zevusqr3
    esqu3Wil
    tgbvdnjuk
  • Longer phrases with numbers and special characters:
    Compl3xChar$

81 - 100

Very strong: strong protection from offline slow-hash scenario

  • Very long random characters:
    eheuczkqyq
    rWibMFACxAUGZmxhVncy
    Ba9ZyWABu99[BK#6MBgbH88Tofv)vs$w
  • Long phrases:
    correcthorsebatterystaple
  • Long phrases with substitutions:
    coRrecth0rseba++ery9.23.2007staple$