Modify password authenticator settings

Password settings determine the requirements for Identity as a Service passwords, including password reset.

3. Set Minimum Length to the minimum number of characters a password must contain. The maximum password length is 255 characters.

4. Set Maximum Length to the maximum number of characters a password can contain. The maximum password length is 255 characters..

This setting defines the value of the Default Password Lifetime set for a user's password authenticator (see Assign a password authenticator). A value of 0 sets the password to never expire. The default password lifetime is 90 days. The maximum is 36,500 days. The value cannot be less than the setting for the Minimum Lifetime.

6. Set Minimum Lifetime to the number of days a user must wait between creating and changing their password.

7. Set Password Kept in History to the number of previous passwords stored in the account password history. This setting prevents users from reusing recent passwords.

The maximum number of passwords is 255. Enter a value of 0 to disable the password history.

8. Select the Minimum Password Strength from the drop-down list. A number of factors, such as common passwords, names, phrases, and character repetition determine the strength of a password. The default setting is Good.

9. Select Allow Compromised Passwords to allow IDaaS to add a new password that has been found in a list of passwords compromised in breaches of external sites. Entrust recommends that compromised passwords should not be allowed. The default is false.

10. Optional: Select Active Directory Complexity Requirements to require that any password entered during a password reset or password change meets the password requirements included in the user's Active Directory.

Note: The Active Directory password must contain characters from three of the following categories:
- Uppercase
- Lowercase
- Number
- Special character
- Unicode (permitted for on-premise directories only)

To use the Password Reset feature for Active Directory users, you must align the Identity as a Service password settings with the password rules defined in the AD Global Policy. If you do not align the settings, Active Directory could reject the password.

AD Password Setting	Identity as a Service password setting
Minimum password length	Minimum length
Maximum password age	Lifetime Days
Minimum password age	Minimum Lifetime
Enforce password history	Number of passwords kept in the History List
Password must meet complexity requirements	There is no direct mapping of AD complexity requirements to Identity as a Service.

Note: The Active Directory settings enforce the Lifetime Days, Maximum Lifetime, and Passwords Kept in History setting values. The Active Directory Password complexity requirements are also enforced when resetting an Active Directory password.

11. If you select to enable Active Directory Complexity Requirements, skip to step 10. If you do not select this feature, complete the following remaining steps:

a. Set Protection Type to either Hashed or Encrypted (Supports CHAP/MSCHAP authentication). You must select Encrypted (Supports CHAP/MSCHAP authentication) to use a CHAP/MSCHAP authentication protocol.

Note: This setting only applies to new passwords. The password must be changed on Identity as a Service for changes to the Protection Type to be applied to the password.

Tip: To create a password that is all numerals, such as for ATM access, set this option to Required, and set the options for letters and special characters to Not allowed.

c. Set Number of Numeric Characters if Required to the minimum number of numerals the password must contain when Required is set for Include Number. The Required value cannot exceed 255.

d. From the Include Uppercase Letter drop-down list, select the uppercase letter requirements.

e. Set Number of Uppercase Characters if Required to the minimum number of uppercase letters the password must contain when Required is set for Include Uppercase Letter. The Required value cannot exceed 255.

f. From the Include Lowercase Letter drop-down list, select the lowercase letter requirements.

g. Set Number of Lowercase Characters if Required to the minimum number of lowercase letters the password must contain when REQUIRED is set for Include Lowercase Letter. The REQUIRED value cannot exceed 255.

h. From the Include Nonalphanumeric Character drop-down list, select the nonalphanumeric requirements. Permitted special characters are: ! @ # $ % ^ & * + ? / < >

i. Set Number of Nonalphanumeric Characters if Required to the minimum number of lowercase letters the password must contain when Required is set for Include Lowercase Letter. The Required value cannot exceed 255.

j. Set Maximum Repeated Characters to the maximum number of times a character can appear in the password.

k. Set Maximum Change Time (Minutes) to the amount of time, in minutes, that a password change must be made.

When Identity as a Service flags a password for changing, you can choose a time period in which that change must be made. If the time period expires, an attempt to change the password fails and the administrator must reset the password. Enter a positive integer that represents the number of seconds, minutes, hour or days.

Note: Setting Maximum Change Time (Minutes) to 0 does not cause any already-expired passwords to be unexpired.

a. Select Password Expiry Notifications to automatically send users a message when their passwords are to expire.

b. Select the Notification Type (Email, SMS, mobile or all three options). If you select more than one option, notifications are sent top-down until a successful message has been delivered.

c. Set the Notification Days separated by commas .For example, to send a notification five days before expiry and on the day of expiry, enter 0,5.