Password Requirements
You can set requirements that users must follow when creating or editing a password policy.
Password changes made within IdentityNow are evaluated by SailPoint before being sent to the source system.
Password Requirement Options
| Requirement Title | Description | Default Value | Example Value | Valid Password | Invalid Password |
|---|---|---|---|---|---|
| Maximum length | The maximum number of characters allowed. | None | 12 | password | passwordpassword |
| Minimum length | The minimum number of characters allowed. | 8 | 8 | password | pass |
| Minimum letters | The minimum number of letters. | 1 | 2 | password, a123Z, BR650 | p12345 |
| Minimum uppercase | The minimum number of uppercase letters. | 0 | 2 | PAssword, PASSWORD | password, Password |
| Minimum lowercase | The minimum number of lowercase letters. | 0 | 2 | PASSWOrd, password | PASSWORD |
| Minimum digits | The minimum number of digits. | 1 | 2 | password12 | password1 |
| Minimum special characters | The minimum number of special characters that are not letters or digits. Passwords cannot include : or non-English characters like £, ß, and Ã. |
0 | 2 Acceptable special characters are: ~!@#$%^*()/_+-`={}\|][;?,.&><'" and spaces. |
p@$sword | p@ssword, p@ssword1 |
| Minimum character types | The number of categories required (uppercase, lowercase, digits, and special characters) described above. Best practice: Set each category to 1 and then set Minimum character types to equal the number of categories you configured. |
None | 3 Selected options: Minimum uppercase, Minimum lowercase, Minimum digits |
Password1 | password, password1 |
| Maximum repeated characters | The maximum number of times a character may be repeated after the first occurrence. | All | 2 | password | passsword |
| Prevent use of account attributes | Prevent users from including attribute values from their account on the source in their password. | Unchecked | In Active Directory: Display name: John Smith Phone: 555-555-1234 |
password | password5555551234, passwordJohn |
| Prevent use of identity attributes | Prevent users from including attribute values from their IdentityNow account in their password. | Unchecked | In IdentityNow: Display name: John Smith Phone: 555-555-1234 |
password | password5555551234, passwordJohn |
| Disallow display name fragments | Prevent users from including any part of their IdentityNow display name with a length greater than the Fragment char length in their password. | Unchecked Fragment char value: All | Display name: John Smith Fragment char length: 3 |
password, passwordJoh, passwordSmi | passwordJohnSmith, passwordJohn, JohnSmith, hnSm |
| Disallow account ID fragments | Prevents users from including any part of their IdentityNow account ID in their password with a length greater than the Fragment char length. | Unchecked Fragment char value: All | Account ID: john.smith Fragment char length: 3 |
password, passwordjoh, passwordsmi | passwordjohn, passwordn.smi |
You can further customize your password requirements by creating a password dictionary. If you select the checkbox for Prevent use of words in this site's password dictionary, users of your site won't be allowed to use words in the password dictionary.
Note
IdentityNow cannot process non-English characters as letters. For example, you cannot use the non-English characters ©, £, ß,ひ, or Ã. If you have users who are likely to use non-English characters in their password, we recommend that you don't set a minimum letter limit for their passwords so they can set their passwords more easily.
Evaluating and Enforcing Password Changes
Password changes made within IdentityNow are evaluated by SailPoint before being sent to the source system.
If the password meets the requirements of the IdentityNow password policy attached to your source, the changed password is sent to the source system, which may have its own set of policy requirements beyond those defined in IdentityNow. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.
If the password change passes both policies, the password is changed on the source system.
If the password change fails, the user is notified through the App Password Changed email or the User Password Changed email. The password failure is included in your audit events in Search.