Password policy
Safewhere Identify uses a number of rules to validate every new password set or generated. Some rules apply to passwords of all users and some only apply to administrative users. The built-in validation rules are:
- Not repeated password validation rule
- Not contain claim value validation rule
- Password strength validation rule
- Regex password validation rule
- Password leak database validation rule
Each validation rule will be described in detail in separate sections below.
Not repeated password validation rule
This validation rule means that a user cannot re-use the last N passwords with N being a predefined number from the The number of old passwords remembered in history setting found in System Settings:
The default value is 30. The setting must be greater or equal to 0. If you set it to 0, the rule will be ignored.
Not contain claim value validation rule
This validation rule ensures that a user's password cannot contain any claim value, whose length is greater than 3 letters, of the user’s claims. This also means the password will not be able to consist of the username. The comparison is case-insensitive.
Password strength validation rule
This validation rule differs from others as it is applied to admin users when a password is set or reset using Identify Configurator, Identify Admin v2, REST API, and Password Reset.
The rule only allows complex passwords with a strength level greater than or equal to level 3 (a.k.a the strong level). The level is defined by the library zxcvbn-core:
https://github.com/trichards57/zxcvbn-cs
Hence, while validating an admin’s password, the help text for password policy is:
A valid password for the administrator account must have from 8-100 characters and is rated as either strong or very strong. In addition, it must not contain a username but must contain at least 1 upper and 1 lower alphanumeric character and at least 1 digit.
Regex validation rule
The default regular expression used to validate passwords is:
^(?=.?\d)(?=.[a-z])(?=.*[A-Z])(\w|[!@#\(%<>/]){8,100}\)
And its help text is:
A valid password must have from 8-100 characters. In addition, it must not contain a username but must contain at least 1 upper and 1 lower alphanumeric character and at least 1 digit.
This regular expression affects validation of passwords on all applications including Identify Runtime, REST API, Identify Admin v2, IdentifyMe, and Password reset.
Password leak database validation rule
This powerful policy takes proactive measures to ensure that your chosen passwords have not been compromised in previous data breaches. By comparing them against an extensive database of known compromised passwords from the excellent Have I Been Pawned service, it adds an additional layer of defense to protect users' passwords.
As part of the password leak database verification policy, there are two settings designed to control your password management strategy.
Password leak check on new passwords:
By default, this setting is set to False. When enabled, it performs checks using the Have I Been Pawned service each time users create or update their passwords. The policy is applied to Runtime, Admin, IdentifyMe and the REST API.
Password leak threshold:
Weak or commonly used passwords are used by many users and often show up more frequently in the leak database. This setting allows you to customize the threshold for the number of times a password appears in the leak database. If it exceeds this threshold, Identify will show the error message "The password is not secure because it has been found in a database of leaked passwords." and prompt users to choose other passwords. Its default value is 100.
Other password-related settings
Organization has a couple of settings that can affect how passwords are used.