Skip to Content

Password Policies

New in Vinyl 3.2 an Administrator User can configure multiple Password Policy types, as needed, to increase overall security. Password Policies are configured in Vinyl at the individual Security Provider level.

Messaging a User sees when they try and set a Password that doesn't conform to a Password Policy is generally configurable through the Vinyl screens. For example "The password was used previously."

Password Policy Types available to configure include the following, which can be Enabled or Disabled by Policy Type:

  • Characters
  • History
  • Length
  • Repetition
  • User Name

Password Policy Types

Characters Policy

  • The Characters Policy ensures the password contains at least one character from the selected character classes, including Lowercase letters, Uppercase letters, Numeric values, and Special characters (punctuation and symbols)
  • This Policy is disabled by default

characterspolicy.png

History Policy

  • The History Policy checks to see if the password has already been used
  • This Policy is enabled by default

historypolicy.png

Length Policy

  • The Length Policy ensures the password is at least N characters in length. Length is determined by MinLength, which defaults to 10.
  • Ensures the password is no more than N characters in length. Length is determined by MaxLength, which defaults to 128.
  • This Policy is enabled by default

lengthpolicy.png

Repetition Policy

  • The Repetition Policy checks for either repeating characters (aaa), where the maximum allowed number of repeating characters is determined by MaxRepeatingCharacters. Defaults to 2.
  • Checks for a repeating, consecutive group of characters (123123), where the minimum number of characters in a group is determined by MinRepeatingGroupCharacters, which defaults to 3.
  • This Policy is enabled by default

repetitionpolicy.png

User Name Policy

  • The User Name Policy ensures the password does not contain the User Name
  • This Policy is enabled by default

usernamepolicy.png

Configuration and Usage

Password policies can be configured by navigating to the Security Providers page, selecting the Local User authentication provider, and clicking the Policies button under Passwords. Changes made to this area are automatically saved and applied upon exiting out of the field you are editing.

  1. Navigate to the IDE > Security Providers
  2. Select the Local User authentication provider, click Open record
  3. From the Provider panel, click Policies under the Passwords section
  4. Select the appropriate Policy Type to configure. For example: Characters
  5. Make any changes required
  6. Test to confirm the policy configuration is working as expected

Design Notes and Requirements

  • The Policies button should only be available for the Local User authentication provider.
  • The History button should only be available for the Local User authentication provider.
  • Administrators cannot add or remove password policies.
  • Administrators can enable or disable password policies.
  • Administrators can set the password policy validation message.
  • Password policy messages are translated.
  • Individual password policies allow additional configuration, such as the minimum password length.
  • The Characters policy is disabled by default. All other policies are enabled by default.