Manage Password Settings

Password settings determine the requirements for Instant ID as a Service passwords, including password reset. Passwords are manually or automatically assigned to users on Instant ID as a Service. Passwords must meet the restrictions set in the Password Authenticator settings.

Additional topics in this section:

• Manage Entrust Soft Token
• Assign Entrust Soft Tokens to Users
• Add and Activate an Entrust Soft Token

Manage Password Settings

1. Select Main Menu > Administration > Policies > Authenticators. The Authenticators page opens.
2. Select Password from the left-side menu. The Password settings page appears.
3. Perform the following tasks, as required:
   • Modify the Password Settings
   • Set Blacklisted Passwords
   • Set Password Reset Settings
4. Click Save to save your changes. The changes apply to all passwords.

Modify the Password Settings

In the Password section, do the following:

1. Set Minimum Length to the minimum number of characters a password must contain. The maximum password length is 255 characters.
2. Set Lifetime Days to the number of a days a password is valid.

   This setting defines the value of the Default Password Lifetime set for a user's password authenticator (see Assign a Password Authenticator). A value of 0 sets the password to never expire. The default password lifetime is 90 days. The maximum is 36,500 days. The value cannot be less than the setting for the Minimum Lifetime.

3. Set Minimum Lifetime to the number of days a user must wait between creating and changing their password.
4. Set Password Kept in History to the number of previous passwords stored in the account password history. This setting prevents users from reusing recent passwords.

   The maximum number of passwords is 255. Enter a value of 0 to disable the password history.

5. Select the Minimum Password Strength from the drop-down list. A number of factors, such as common passwords, names, phrases, and character repetition determine the strength of a password. The default setting is Good.
6. Set Allow Compromised Passwords to determine whether passwords known to have been exposed in data breaches of external sites are allowed. When this option is unchecked, passwords that are flagged as compromised cannot be used.Refer to Enable or Disable Compromised Password Check below for more details."
7. Select Active Directory Complexity Requirements to require that any password entered during password reset meets the password requirements included in the user's Active Directory.

   The following table provides a mapping of AD password settings to Instant ID as a Service password settings.

   AD Password Setting	Instant ID as a Service password setting
   Minimum password length	Minimum length
   Maximum password age	Lifetime Days
   Minimum password age	Minimum Lifetime
   Enforce password history	Number of passwords kept in the History List
   Password must meet complexity requirements	There is no direct mapping of AD complexity requirements to Instant ID as a Service.

   Note: The Active Directory settings enforce the Lifetime Days, Maximum Lifetime, and Passwords Kept in History setting values. The Active Directory Password complexity requirements are also enforced when resetting an Active Directory password.  

8. Set Protection Type to either Hashed or Encrypted Supports CHAP/MSCHAP authentication). You must select Encrypted (Supports CHAP/MSCHAP authentication) to use a CHAP/MSCHAP authentication protocol.

   Note: This setting only applies to new passwords. The password must be changed on Instant ID as a Service for changes to the Protection Type to be applied to the password.

9. From the Include Number drop-down list, select the number is requirements.

   Note: To create a password that is all numerals, such as for ATM access, set this option to Required, and set the options for letters and special characters to Not allowed.

10. Set Number of Numeric Characters if Required to the minimum number of numerals the password must contain when Required is set for Include Number. The Required value cannot exceed 255.
11. From the Include Uppercase Letter drop-down list, select the uppercase letter requirements.
12. Set Number of Uppercase Characters if Required to the minimum number of uppercase letters the password must contain when Required is set for Include Uppercase Letter. The Required value cannot exceed 255.
13. From the Include Lowercase Letter drop-down list, select the lowercase letter requirements.
14. Set Number of Lowercase Characters if Required to the minimum number of lowercase letters the password must contain when REQUIRED is set for Include Lowercase Letter. The REQUIRED value cannot exceed 255.
15. From the Include Nonalphanumeric Character drop-down list, select the nonalphanumeric requirements. Permitted special characters are:! @ # $ % ^ * + ? /
16. Set Number of Nonalphanumeric Characters if Required to the minimum number of lowercase letters the password must contain when Required is set for Include Lowercase Letter. The Required value cannot exceed 255.
17. Set Maximum Repeated Characters to the maximum number of times a character can appear in the password.
18. Set Maximum Change Time (Minutes) to the amount of time, in minutes, that a password change must be made.

    When Instant ID as a Service flags a password for changing, you can choose a time period in which that change must be made. If the time period expires, an attempt to change the password fails and the administrator must reset the password. Enter a positive integer that represents the number of seconds, minutes, hour or days.

    Note: Setting Maximum Change Time (Minutes) to 0 does not cause any already-expired passwords to be unexpired.

19. Select the Enable Expiry Notifications check box to enable password expiration notifications.

Enable or Disable Compromised Password Check

Compromised Password Policy Configuration
Administrators can enhance system security by configuring password policies to check for compromised passwords. This feature prevents users from setting passwords that have been exposed in known data breaches.

Enabling Compromised Password Checks
To enable this feature:

1. Navigate to Policies > Authenticators > Passwords.
2. Locate the Allow Compromised Passwords checkbox.
3. Uncheck this box to block the use of compromised passwords.

When this option is unchecked, the system validates passwords against a list of known compromised credentials. If a user attempts to set a password that is flagged such as password or EntSanity99. the operation will fail with an error message:

Error Message
“This password has been found in a compromised password list from a third-party source. To ensure security, its use is restricted.”

This validation applies to all password operations:

• Password creation
• Password change
• Password reset

It applies whether the operation is performed by the user or an administrator.

Allowing Compromised Passwords
If your organization chooses to allow compromised passwords (e.g., for testing or legacy compatibility), you can enable this by checking the Allow Compromised Passwords box in the policy configuration.

Default Behaviour
For newly created policies or policies upgraded to this release, the compromised password check is enabled by default.

Set Blacklisted Passwords

Blacklisted passwords are a list of words disallowed as user passwords.

In the Blacklisted Passwords section, do the following:

1. Click Add. The Add Blacklisted Passwords dialog box appears.
2. In the text box, enter the Blacklisted Password Values.

   Note: You cannot add duplicate words and strings in the Blacklisted Password Values list. For example, if you add password to the blacklisted password list, users are restricted from using the word password anywhere in your password.

3. Press <return> to enter each new blacklisted password on a new line.
4. When done, click Add to return to the Password setting page.
5. To delete a blacklisted password, click .

Set Password Reset Settings

To enable users to reset their password during authentication, do the following:

1. Select Enable Forgot Password to enable users to reset their password during authentication. The setting is disabled by default. Additional Password Reset Settings appear.

   Note: You must also modify your Instant ID as a Service resource rules to enable password reset. See Reset a Password for more information.

2. Select the Groups Allowed to perform a Password Reset.

   Tip: Click to filter your group list.

3. From the Second Factor Authenticators Allowed to perform a Password Reset list, select the second factor authentication methods. Note the following when selecting second factor authenticators:
   1. Drag and drop the selected authentication methods in order of preference.
   2. Users resetting their password are prompted to complete the authentication challenge at the top of the list before being able to reset their password.
   3. If the user does not have that type of authenticator, they are prompted to use the next authenticator on the list.
   4. If they do not have any of the authenticators on the Second Factor Authenticators Allowed to perform a Password Reset list they cannot reset their password.

      Note: Selecting Temporary Access Code as an allowed authenticator only enables completing a Temporary Access Code authentication challenge to perform a password reset. Temporary Access Codes cannot be used to complete a Grid Card, OTP, or Token challenge that is required before resetting a password.

4. (Optional) Select  Additional Second Factor.

   If selected, users are required to complete a second-factor authentication before being able to reset their password. When enabled the user must complete two of the second factor authentication challenges in the Second Factor list.

5. Select Unlock User Account to unlock the user account after they reset their password. The setting is enabled by default.
6. Review the Knowledge-based Authentication Settings. These settings only apply if Knowledge-based Authenticator is selected in the Second Factor list.