Password Policy

Cross Identity has an easy password management system. Password management is a set of guidelines and best practices to be followed by users while storing and efficiently changing passwords to prevent unauthorized access.

To ensure a uniform and strong password policy is followed by the end users, an admin must configure the password policy, which can be customized per an organization's need.

There are two parts to configuring a password policy:

• AD Policy Sync: Password policy synchronization helps maintain the password complexity between AD and CI. It eases the end-user to have a few standard parameters to set up the password. The AD attributes synced with the password policy are Minimum Password Length, Maximum Password Age, Lockout Threshold, Lockout Duration, and Password Length.

• Set a Password Policy: You can define a password policy in Cross Identity to ensure users use a strong password per the company's policies while changing passwords in Cross Identity.
  Cross Identity also supports Password Sync to IGA applications, so you can set a password policy that complies with the company and IGA application's policies.

Follow the steps to set a password policy:

1.  Navigate to Security > Password Policy.

   

2. Select AD Password Sync and choose AD Directory from the drop-down to sync the password policy. 

   

3. Click Password Policy Sync and it shows a pop-up of 'Password policy sync updated successfully'.

   Information:

   Once you sync the password policy, the five parameters will grade out and cannot be changed manually.

4. Prevent users from using user’s attribute as part of password: Check the box to restrict users from using first name, last name, email address, employee ID, mobile number, and full name in their passwords.

5. Password blacklists fulfil a role in securing accounts. It uses a list of commonly used passwords to prevent their reuse and helps prevent compromised accounts. The passwords can be seeded in the password list or added.
   Comparison Criteria:

   • Select Exact String Criteria if you want to compare the exact strings of a password with the blacklisted password dictionary.

   • Select Sub-string compare (contains) if you want to compare any part of a password with the blacklisted password dictionary. The last

   • Export Blacklisted Passwords: Blacklisted Passwords that exist in the application can be exported to a CSV file. The administrator can add or edit this CSV file's password based on the tenant's requirement.

   • Import Blacklisted Passwords: After modification, Blacklisted Passwords are imported back into the application from the modified CSV file. The date stamp of the last imported file is displayed beside this function.

6. Minimum Length: Enter a password's minimum length (character) in this field.

7. Maximum Length: Enter a password's maximum length (character) in this field.

8. Minimum Digits: Enter the minimum number of numeric digits that should exist in a password.

9. Minimum Upper-case characters: Enter the minimum number of Upper-case characters to be used in a password.

10. Minimum Lowercase characters: Enter the minimum number of Lowercase characters to be used in a password.

11. Minimum Special characters: Enter the minimum number of special characters to be used in a password.

12. Allowed Special Characters: Enter all the special characters allowed in a password.

13. Allow 'SPACE': Check this box for blank spaces between passwords.

14. Password History: The number of previous passwords the user cannot set again as a password.
    If the Password History is set to `0`, the password in the database must be updated. The revised password is then communicated to the respective applications. It is observed that the password history table does not appear to be updated. If the history check is changed to '2', the earlier updated password becomes part of the history check.

15. Allowed maximum consecutive characters: Enter the maximum number of consecutive characters allowed in a password.
    Example: gpqve where n is 2, these consecutive characters are allowed.
    idefpy, where n is more than two, is not permitted.

16. Allowed maximum repetitive characters: Enter the maximum number of characters in a password.

17. Password Expiration (days): Enter the number of days the user's password will expire.

18. Password Expiration counts down (days): If you enter '8' in this field, the user will get an email notification stating that their password will expire in 8 days.

19. Enable password expiry email notification?: Select to enable a password expiry email notification to be sent to the user.

20. Set the time (in Hours) to send the password expiry email notifications: If you enter '24' in this field, the user will get an email notification on their password expiry once every 24 hours, from the first day of the Password Expiration count down, till the Password expiry date.

21. Account lockout threshold: Provide the number of failed login attempts that will trigger the locking of a user's account.
    Example: Accept only positive integers between 1 and 99.

22. Automatically unlock user after (minutes): Please specify the duration, in minutes, before the account is automatically unlocked.
    Example: Accept only positive integers between 1 and 999999.

23. Click Save.

Inline Check on Password Policy

1. When a new password is created or a user has changed or reset the password, the users should be able to view if their password complies with the password policy.
   Before you enter a new password in the Set New Password screen, all the policies on the right of the screen will have a RED cross mark against them.

   

2. When you enter the new password, you will see that the tick marks against all policies on the right will turn GREEN if conditions are met.

   

3. The tick mark against Confirm Password Matched policy will only turn green when the Confirm New Password matches the New Password.
   The Proceed button will only be enabled after the Confirm Password is matched.