Password Policy

Products

Password Policy

March 30, 2023

Safewhere Identify uses a number of rules to validate every new password set or generated. Some rules apply to passwords of all users and some only apply to administrative users. The built-in validation rules are:

  • Not repeated password validation rule
  • Not contain claim value validation rule
  • Password strength validation rule
  • Regex password validation rule

Each validation rule will be described in detail in separate sections below.

Not repeated password validation rule

This validation rule means that a user cannot re-use the last N passwords with N being a predefined number from the The number of old passwords remembered in history setting found in System Settings:

system_old_password

The default value is 30. The setting must be greater or equal to 0. If you set it to 0, the rule will be ignored.

Not contain claim value validation rule

This validation rule ensures that a user's password cannot contain any claim value, whose length is greater than 3 letters, of the user’s claims. This also means the password will not be able to consist of the username. The comparison is case-insensitive.

Strength password validation rule

This validation rule differs from others as it is applied to admin users when a password is set or reset using Identify Configurator, Identify Admin v2, REST API, and Password Reset.

The rule only allows complex passwords with a strength level greater than or equal to level 3 (a.k.a the strong level). The level is defined by the library zxcvbn-core:

https://github.com/trichards57/zxcvbn-cs

Hence, while validating an admin’s password, the help text for password policy is:

A valid password for the administrator account must have from 8-100 characters and is rated as either strong or very strong. In addition, it must not contain a username but must contain at least 1 upper and 1 lower alphanumeric character and at least 1 digit.

Regex validation rule

The default regular expression used to validate passwords is:

^(?=.?\d)(?=.[a-z])(?=.*[A-Z])(\w|[!@#$%<>/]){8,100}$

And its help text is:

A valid password must have from 8-100 characters. In addition, it must not contain a username but must contain at least 1 upper and 1 lower alphanumeric character and at least 1 digit.

Other password-related settings

Organization has a couple of settings that can affect how passwords are used.