Password Policies
Author:
Fluent Commerce
Changed on:
24 Jan 2024
Overview
A password policy dictates the strength and complexity requirements for a password or passphrase.
Fluent IdP supports the following types of password policies:
- Basic: The basic policy is a more relaxed standard that allows maximum customer flexibility. The basic policy can be less secure because users are not required to change their passwords.
- Passphrase: The passphrase policy encourages users to use a passphrase instead of a password for stronger authentication. A passphrase can be easier to remember and more secure because of its length.
- Standard: The standard password policy incorporates industry best practices for a typical password policy. By default, a basic password policy with all requirements and rules cleared is set for each Client Account on the Fluent IdP side.
Key points
- Password Requirements include checks for uniqueness, complexity, and length, with restrictions on repeated characters and reliance on the Gibson Research Corporation Password Haystacks concept.
- Password Policy Rules encompass maintaining a history of prior passwords, setting expiration intervals, and defining the frequency at which passwords can be changed.
- Account lockout rules dictate the number of allowed failed attempts before an account is locked, with automatic unlocking after a specified duration.
Password Policy Details
Password Policy has many configurations to offer. By default, all settings are not enabled. Configure policy according to your company's needs.
Password Requirements:
- The password should not match strings that appear in the user's identity data
- The password should not be too similar to the user's current password
- The password will be checked against a list of most commonly-used passwords
- The password must have a complexity of at least 7 days, based on the Gibson Research Corporation Password Haystacks concept
- The password cannot have more than 2 repeated characters
- The password must have a minimum of 5 unique characters
- The password must be between 8 and 255 characters
- The password must have at least 1 of the following characters: ~!@#$%^&*()-_=+[]{}|;:,.<>/?
- The password must have at least 1 of the following characters: 0123456789
- The password must have at least 1 of the following characters: 0123456789
- The password must have at least 1 of the following characters: ABCDEFGHIJKLMNOPQRSTUVWXYZ
- The password must have at least 1 of the following characters: abcdefghijklmnopqrstuvwxyz
Password Policy Rules:
- X prior passwords will be maintained in the password history count for a maximum of X days
- The password will expire every X days
- Passwords can be changed after X days
Account lockout rules:
- The user's account will be locked out after X attempts
- Automatically unlock accounts that were locked by failed password attempts after XX seconds