Password Requirements
You can set requirements that users must follow when creating or editing a password policy.
Password changes made within Identity Security Cloud are evaluated by SailPoint before being sent to the source system. If the user has multiple accounts on a source, they will be prompted to select which account to change.
Password Requirement Options
Requirement Title | Description | Default Value | Example Value | Valid Password | Invalid Password |
---|---|---|---|---|---|
Maximum length | The maximum number of characters allowed. | None | 12 | password | passwordpassword |
Minimum length | The minimum number of characters allowed. | 8 | 8 | password | pass |
Minimum letters | The minimum number of letters. | 1 | 2 | password, a123Z, BR650 | p12345 |
Minimum uppercase | The minimum number of uppercase letters. | 0 | 2 | PAssword, PASSWORD | password, Password |
Minimum lowercase | The minimum number of lowercase letters. | 0 | 2 | PASSWOrd, password | PASSWORD |
Minimum digits | The minimum number of digits. | 1 | 2 | password12 | password1 |
Minimum special characters | The minimum number of special characters that are not letters or digits. Passwords cannot include : or non-English characters like £ , ß , and à . |
0 | 2 Acceptable special characters are: ~!@#$%^*()/_+-`={}\|][;?,.&><'" and spaces. |
p@$sword | p@ssword, p@ssword1 |
Minimum character types | The number of categories required (uppercase, lowercase, digits, and special characters) described above. Best practice: Set each category to 1 and then set Minimum character types to equal the number of categories you configured. |
None | 3 Selected options: Minimum uppercase, Minimum lowercase, Minimum digits |
Password1 | password, password1 |
Maximum repeated characters | The maximum number of times a character may be repeated after the first occurrence. | All | 2 | password | passsword |
Prevent use of account attributes | Prevent users from including attribute values from their account on the source in their password. | Unchecked | In Active Directory: Display name: John Smith Phone: 555-555-1234 |
password | password5555551234, passwordJohn |
Prevent use of identity attributes | Prevent users from including attribute values from their Identity Security Cloud account in their password. | Unchecked | In Identity Security Cloud: Display name: John Smith Phone: 555-555-1234 |
password | password5555551234, passwordJohn |
Disallow display name fragments | Prevent users from including any part of their Identity Security Cloud display name with a length greater than the Fragment char length in their password. | Unchecked Fragment char value: All | Display name: John Smith Fragment char length: 3 |
password, passwordJoh, passwordSmi | passwordJohnSmith, passwordJohn, JohnSmith, hnSm |
Disallow account ID fragments | Prevents users from including any part of their Identity Security Cloud account ID in their password with a length greater than the Fragment char length. | Unchecked Fragment char value: All | Account ID: john.smith Fragment char length: 3 |
password, passwordjoh, passwordsmi | passwordjohn, passwordn.smi |
You can further customize your password requirements by creating a password dictionary. If you select the checkbox for Prevent use of words in this site's password dictionary, users of your site won't be allowed to use words in the password dictionary.
Note
Identity Security Cloud cannot process non-English characters as letters. For example, you cannot use the non-English characters ©
, £
, ß
,ひ
, or Ã
. If you have users who are likely to use non-English characters in their password, we recommend that you don't set a minimum letter limit for their passwords so they can set their passwords more easily.
Evaluating and Enforcing Password Changes
Password changes made within Identity Security Cloud are evaluated by SailPoint before being sent to the source system.
If the password meets the requirements of the Identity Security Cloud password policy attached to your source, the changed password is sent to the source system, which may have its own set of policy requirements beyond those defined in Identity Security Cloud. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.
If the password change passes both policies, the password is changed on the source system.
If the password change fails, the user is notified through the App Password Changed email or the User Password Changed email. The password failure is included in your audit events in Search.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.