Skip to content

Password Requirements

You can set requirements that users must follow when creating or editing a password policy.

Password changes made within Identity Security Cloud are evaluated by SailPoint before being sent to the source system. If the user has multiple accounts on a source, they will be prompted to select which account to change.

A password policy with all password requirement options displayed.

Password Requirement Options

Requirement Title Description Default Value Example Value Valid Password Invalid Password
Maximum length The maximum number of characters allowed. None 12 password passwordpassword
Minimum length The minimum number of characters allowed. 8 8 password pass
Minimum letters The minimum number of letters. 1 2 password, a123Z, BR650 p12345
Minimum uppercase The minimum number of uppercase letters. 0 2 PAssword, PASSWORD password, Password
Minimum lowercase The minimum number of lowercase letters. 0 2 PASSWOrd, password PASSWORD
Minimum digits The minimum number of digits. 1 2 password12 password1
Minimum special characters The minimum number of special characters that are not letters or digits.

Passwords cannot include : or non-English characters like £, ß, and Ã.
0 2

Acceptable special characters are: ~!@#$%^*()/_+-`={}\|][;?,.&><'" and spaces.
p@$sword p@ssword, p@ssword1
Minimum character types The number of categories required (uppercase, lowercase, digits, and special characters) described above.

Best practice: Set each category to 1 and then set Minimum character types to equal the number of categories you configured.
None

Selected options: Minimum uppercase, Minimum lowercase, Minimum digits
Password1 password, password1
Maximum repeated characters The maximum number of times a character may be repeated after the first occurrence. All 2 password passsword
Prevent use of account attributes Prevent users from including attribute values from their account on the source in their password. Unchecked In Active Directory:

Display name: John Smith

Phone: 555-555-1234
password password5555551234, passwordJohn
Prevent use of identity attributes Prevent users from including attribute values from their Identity Security Cloud account in their password. Unchecked In Identity Security Cloud:

Display name: John Smith

Phone: 555-555-1234
password password5555551234, passwordJohn
Disallow display name fragments Prevent users from including any part of their Identity Security Cloud display name with a length greater than the Fragment char length in their password. Unchecked Fragment char value: All Display name: John Smith

Fragment char length: 3
password, passwordJoh, passwordSmi passwordJohnSmith, passwordJohn, JohnSmith, hnSm
Disallow account ID fragments Prevents users from including any part of their Identity Security Cloud account ID in their password with a length greater than the Fragment char length. Unchecked Fragment char value: All Account ID: john.smith

Fragment char length: 3
password, passwordjoh, passwordsmi passwordjohn, passwordn.smi

You can further customize your password requirements by creating a password dictionary. If you select the checkbox for Prevent use of words in this site's password dictionary, users of your site won't be allowed to use words in the password dictionary.

Note

Identity Security Cloud cannot process non-English characters as letters. For example, you cannot use the non-English characters ©, £, ß,, or Ã. If you have users who are likely to use non-English characters in their password, we recommend that you don't set a minimum letter limit for their passwords so they can set their passwords more easily.

Evaluating and Enforcing Password Changes

Password changes made within Identity Security Cloud are evaluated by SailPoint before being sent to the source system.

If the password meets the requirements of the Identity Security Cloud password policy attached to your source, the changed password is sent to the source system, which may have its own set of policy requirements beyond those defined in Identity Security Cloud. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.

If the password change passes both policies, the password is changed on the source system.

If the password change fails, the user is notified through the App Password Changed email or the User Password Changed email. The password failure is included in your audit events in Search.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.