IdentityIQ Password Policy

The password policy for the IdentityIQ internally stored passwords is set in the System Setup configuration pages. Click the gear icon and select Global Settings > IdentityIQ Configuration > Passwords tab > Password Policy.

Most of the setting options are the same as the password policy options for application passwords.

  • Define Character Types – used to define allowable character types: Digits, Uppercase Characters, Lowercase or Non-English Characters, Special Characters. All characters are allowed if these fields are empty.

  • Days until expiration for manually set passwords – used when a user resets their own password through the Edit Preferences window. This option sets the password expiration date by adding the specified number of days to the current date. The user is required to reset their password the first time they log into IdentityIQ on or after that expiration date.

  • Days until expiration for generated passwords – used when an administrator resets a user's password through the Identity Cube's Attributes page. This option sets the password expiration date by adding the specified number of days to the current date. The user is required to reset their password the first time they log into IdentityIQ on or after that expiration date.

  • Minimum Hours between password changes – specifies the amount of time (in hours) that must elapse before a user can reset their own IdentityIQ login password after they have reset it once. This does not prevent an administrator from resetting the user's password and does not prevent the user from resetting the password again immediately after it was reset by an administrator.

  • Require users to enter their current password when setting a new password – enables a user to change their IdentityIQ password only if they enter the correct current password for the account.

  • Password history length – specifies number of previous passwords in password history to check against for uniqueness (prevents reuse of a password over the specified number of password changes)

  • Validate passwords against the password dictionary – validates new IdentityIQ passwords against the password dictionary (see Defining a Password Policy for information on the password dictionary).

  • Validate password against the identity’s list of attributes – ensures that values stored as Identity attributes (last name, department, office number, region, etc.) are not used as the password

The Validate passwords against the Identity's account attributes option found on the application password policies does not apply to the IdentityIQ password policy. Those attributes are specific to each application and present a security risk when used in the login credentials for that specific application, but they do not pose the same risk for the IdentityIQ login.

Note: The password history, if a Password history length value is specified, is stored as a <PasswordHistory> element on the Identity object. It is stored as a comma separated values list of encrypted passwords. The number of passwords stored is determined by the value set for the Password history length. IdentityIQ prevents the setting of a new IdentityIQ password for the user that matches any password in the list.