Setting Up Password Manager Policies

EmpowerID provides password management services enabling help desk password reset, end-user self-service password change and reset, and multi-directory password synchronization for external systems. These policies control the login and password self-service reset options a person receives when using EmpowerID. When EmpowerID is installed, all users discovered are assigned to the Default Password Manager Policy. You can modify this policy to meet your organization's needs or create new policies and assign those to users as desired.

In this topic, we demonstrate setting up Password Manager Policies by creating a new policy. The principles and settings discussed can be applied to editing the Default Password Manager Policy, as well as any other custom policies you may have created.

To set up Password policies

  1. From the Navigation Sidebar, navigate to the Password Manager Policies management page by expanding Admin > Policies and clicking Password Manager Policies.
  2. From the Password Manager Policies management page, click the Actions tab and then click Create Password Manger Policy.

    • Editing existing policies

      To edit an existing policy, rather than clicking the Actions tab, simply search for the policy and click the Display Name link for it in the grid.

      This directs you to the View page for the policy. From there, click the Edit link to put the policy in edit mode, as shown by the below image. You can then follow the rest of this topic to apply your changes as needed.


  3. In the General tab of the Policy Details form that appears, do the following:
    1. Type a name, display name and description for the policy in the Name, Display Name and Description fields, respectively.

    2. Underneath Password Complexity, do the following:
      1. Select Password Use Windows Complexity if you want to apply the same complexity algorithm used in Microsoft Active Directory.
      2. If you did not select Password Use Windows Complexity, type the minimum number of characters users must use when setting passwords in the Min Length field.
      3. If you did not select Password Use Windows Complexity, type the maximum number of characters users can use when setting passwords in the Max Length field.
      4. Optionally, if you did not select Password Use Windows Complexity, type the minimum number of digits that users must use when setting passwords in the Min Digits field.
      5. Optionally, if you did not select Password Use Windows Complexity, type the minimum number of special characters that users must use when setting passwords in the Min Special Characters field.
      6. Optionally, if you did not select Password Use Windows Complexity, type the maximum number of repeating characters that users can use when setting passwords in the Maximum Pairs of Repeating Characters field.
      7. Optionally, if you did not select Password Use Windows Complexity, type a value corresponding to the number of first characters for a given user name that the user cannot use when setting passwords in the Restrict First X Characters Of Login field. For example, if you set this value to 3, users with the policy will not be able to use the first 3 letters of their user name when setting their passwords.
      8. Optionally, if you did not select Password Use Windows Complexity, select Password Requires Mixed Case to enforce the use of upper and lower case letters when setting passwords.
      9. Optionally, if you did not select Password Use Windows Complexity, select Require Leading Letter to require users to begin their passwords with a letter.
      10. Optionally, if you did not select Password Use Windows Complexity, select Require Mainframe Compatibility to enforce mainframe password format requirements (max of 8 characters, no special characters).
      11. Optionally, type a regular expression to be set to constrict and validate the use of characters that can be used to create a password in the Regular Expression Validator field.
        12. If this field is set with a RegEx value, the regular expression is applied in addition to any other settings specified.
      12. Optionally, select Password Prevent Username Words to restrict users from using their user name in any part of their passwords.
      13. Optionally, select Password Prevent Dictionary Words to restrict users from using certain words in their passwords and then select the dictionary containing those words from the Dictionary Word Set drop-down.

        14. EmpowerID includes a two Dictionary Word Sets, each with its own collection of blocked words. You can customize these by adding new words to them or create your own as needed.
    3. Underneath Password Change Policy, do the following:
      1. Optionally, Select Password Prevent Change to prevent users from changing their passwords.
      2. Type the number of days that must pass before users can reuse passwords from their password history in the Password Allow Reuse After X Days field.
      3. Type the number of password changes that must occur before users can reuse passwords from their password history in the Password Allow Reuse After X Changes field.
      4. Type the number of days after which users will be required to change their password in the Password Require Change Every X Days field.
      5. Type the number of days users must wait before they are allowed to change their password in the Min Age to Allow Change (X Days) field.
      6. In the Notify X Days Before Expires field, type a number specifying when users should be sent an email notification of a pending password expiration. Users must have an email account that is registered in EmpowerID to receive the notification.
      7. In the ReNotify Every X Days field, type a number specifying when users should be emailed reminders of a pending password expiration. Notifications will be sent at the specified interval until either the user changes the password or the password expiration date passes.
        8. In order for users to receive email alerts of pending password notifications, the Password Expiration Notification permanent workflow must be enabled.
        • To enable the permanent workflow
          1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to Permanent Workflows management page by expanding Admin > Miscellaneous and clicking Permanent Workflows.
          2. Click the Display Name link for the Password Expiration Notification permanent workflow.

          3. In the Permanent Workflows Details page that appears, click the Edit link at the top of the page. Edit links have the pencil icon.

          4. Tick Enabled.

          5. Click Save.
  4. In the Authentication Settings tab, optionally do the following:
    1. Underneath Login Policy do the following:
      1. Specify the minimum number of MFA points required for users with the policy in the Min MFA Points if Local Subnet field. This setting is used to specify the minimum number of points users within your local network must accumulate when authenticating. Points start at 0 and can be incremented as needed. When the value is greater than 0, users must accumulate the required number of points before access is granted.
      2. Specify the minimum number of MFA points required for users with the policy in the Min MFA Points if Remote Subnet field. This setting is used to specify the minimum number of points users outside of your local network must accumulate when authenticating. Points start at 0 and can be incremented as needed. When the value is greater than 0, users must accumulate the required number of points before access is granted.
      3. In the Default Home Page field, type the default home page of the EmpowerID Web application for all users with the policy. When doing so, you specify the page by entering the relative path to it in your environment. By relative path we mean that portion of the page's URL that begins with the # symbol. You can find this for any page by clicking the link for the page in the Navigation Sidebar. So for example, if you want the home page to the Self-Service Workflows page of the IT Shop and the the full URL for accessing that page is "https://sso.empowerid.com/Empowerid/#N/ITShop/SelfService", you you would enter #N/ITShop/SelfService in this field.

        4. If you leave this field blank, the home page defaults to each user's personal dashboard. Additionally, the default home page can be set directly on a person. Home pages set on a person take precedence over home page settings on Password Manager policies. For information on setting the home page for a person, see Setting the home page for a person.
      4. In the Attempts Before Lockout field, type the number of times a user can incorrectly attempt to log in (within the specified period of time set in Login Lockout Failure Window field) before EmpowerID locks that person out.
      5. In the Login Lockout Failure Window field, type the length of time in minutes before a person can re-attempt the log in once their EmpowerID Person has been locked out.
      6. In the Login Lockout Duration (Minutes) field, type the length of time in minutes (sliding window) during which the number of login failures must occur in order to trigger a lockout. If the value specified for the Login Lockout After X Failures field is exceeded within this sliding window, the offending person is prevented from logging in to EmpowerID for the number of minutes specified in the Login Lockout Duration (Minutes) field.
      7. Select or deselect Enable Login Workflow for Management Console, depending on whether you want to give people with the policy the ability to log in to the EmpowerID Management Console (WPF).

    2. If you are using the EmpowerID Virtual Directory server, underneath LDAP Policy do the following:
      1. Select Allow LDAP Authentication if you want to allow users in the Virtual Directory to authenticate to EmpowerID.
      2. Select Require 2nd Factor for LDAP to require Virtual Directory users to perform multi-factor authentication. If enabled, users need to have an OATH token.
      3. Select Enable Login if no Token Assigned to allow Virtual Directory users who have yet to receive an OATH token to login.

    3. If you are using the EmpowerID RADIUS service, underneath RADIUS Policy do the following:
      1. Select Allow RADIUS Authentication if you want to RADIUS users to authenticate to EmpowerID.
      2. Select Require 2nd Factor for LDAP to require RADIUS users to perform multi-factor authentication. If enabled, users need to have an OATH token.
      3. Select Enable Login if no Token Assigned to allow RADIUS users who have yet to receive an OATH token to login.

    4. If you have created a custom login handler, underneath Custom Login Handler, specify the assembly and type for the handler in the Login Handler Assembly and Login Handler Type fields.
    5. If you want to require users to agree to your policies before they log in, underneath Usage Agreement, specify a version number for the agreement in the Usage Agreement Version field and then enter the text of the agreement in the Usage Agreement Text (HTML) field.

      6. Users with the policy, will see the agreement on their first login. In order to proceed, they will need to agree to the terms of use specified by the Usage Agreement.

  5. In the Self-Service Password Reset tab, optionally do the following:
    1. In the Number of Custom Questions Asked for Enrollment field, type the number of Password Challenge questions that users need to create. Users enrolling for password self-service reset provide answers to these questions for the purpose of identifying themselves in the event they forget or want to change their passwords.
    2. In the Number of Selectable Questions Asked for Enrollment field, type the number of predefined questions that users need to answer during the enrollment process. This establishes the pool of questions that are used for a particular user during the reset process.
    3. In the Number of Help Desk Questions Asked for Enrollment field, type the number of pre-defined Helpdesk questions for which users need to provide an answer when enrolling for Password Self-Service Reset. Users who forget their password and contact the Help Desk can have their passwords reset by the Help Desk if they successfully answer this question.
    4. In the Expire Enrollment After (Days) field, type the length of time in days that any user's enrollment remains valid. Users will be forced to re-enroll for password self-service reset after the designated time has been reached.
    5. Select Force Enrollment During Login to require users enroll for password self-service reset during their first login to EmpowerID.
    6. Select Enrollment Prevent Duplicate Answers to restrict the user from re-using the same answer in response to multiple challenge questions.
    7. Select Enrollment Prevent Question Word in Answer to restrict the user from re-using any of the question words in their answer to the question.
    8. Select Enrollment Expiration Enabled to force users to re-enroll for password self-service reset after the number of days specified by the value of the Expire Enrollment After (Days) setting has passed.
    9. In the Recovery Questions Asked field, type the number of password recovery questions to be asked to users who cannot remember their passwords. These questions were supplied by the user when enrolling for password self-service reset.
    10. In the Recovery Minimum Correct Answers field, type the minimum number of password challenge questions users must answer correctly before they can set a password.
    11. Select Enable Reset Center Lockout Policy to lock anonymous users out of the Password Reset Center in accordance with the settings applied to the fields of this section.
    12. In the Allow X Attempts Before Lockout field, type the number of times users can incorrectly answer their password challenge questions before being locked out of the recovery center.
    13. In the During an X Minute Window field, type the length of time in minutes of a sliding window during which the number of incorrect challenge question answers must occur in order to trigger Recovery Center lockout.
    14. In the Lockout Duration field, type the amount of time in minutes that locked-out users must wait before they can use the Recovery Center again.
    15. Select Bypass Min Password Age to allow users who forget their password to bypass the password age requirements specified in the Min Age To Allow Change (X Days) setting. This setting only has effect if the Min Age To Allow Change (X Days) setting is set to a number other than 0.
    16. Select Bypass Password History to allow users who forget their password to bypass the password history requirements specified in the Password Allow Reuse After X Days setting. This setting only has effect if the Password Allow Reuse After X Days setting is set to a number other than 0.
  6. When you have completed the above, click Save.