Skip to main content
Version: 8.2511.x.x RR

Password

This page lists the policy parameters specific to passwords.

In addition to the policy parameters defined here, the parameters defined in All credential types are also valid for password credentials.

allowLoginIdInPassword

  • Data type: boolean
  • Default: true
  • Description: Determines whether the password may contain the user login ID. A case-insensitive check is performed upon creation.

checkDictionary

  • Data type: boolean
  • Default: true
  • Description: Determines whether to look up the password in the dictionary (see Password dictionary) upon creation.

credentialLifetime

  • Data type: long (>0)
  • Default: 315360000000 (10 years in milliseconds)
  • Description: The time to live (in milliseconds) of the password credential. After the defined period of time, the user will not be able to log in with this password anymore.

hashAlgorithm

  • Data type: enum

  • Values: SSHA, SSHA256, bcrypt, PBKDF2, ARGON2ID

  • Default: SSHA256

  • Description: Defines the hash algorithm used for password hashing. In addition to the algorithms available for all credential types (SSHA, SSHA256, PBKDF2, ARGON2ID), passwords also support bcrypt. Since nevisIDM 2.21.2.0, SSHA has been marked as deprecated because collision attacks faster than brute force attacks have been found. The default has changed to SSHA256. Changing this parameter is fully backward compatible — only newly created passwords are hashed with the defined algorithm.

    For PBKDF2 and ARGON2ID sub-parameters, see All credential types.

hashAlgorithm.bcrypt.cost

  • Data type: int
  • Default: 12
  • Description: The cost factor defines how many rounds should be used to create a bcrypt hash. The cost factor should be chosen according to the hardware used and may have to be adjusted over time. The computing time grows exponentially with the cost factor (2^cost iterations).

initialPwchangePeriod.adminChanged

  • Data type: long
  • Default: -1 (unlimited)
  • Description: Defines the number of milliseconds within which a user has to change his password after an administrator change. Only effective when initialPwchangeRequired=true.

initialPwchangePeriod.initial

  • Data type: long
  • Default: -1 (unlimited)
  • Description: Defines the number of milliseconds within which a user has to change his initial password. Only effective when initialPwchangeRequired=true.

initialPwchangePeriod.resetCode

  • Data type: long
  • Default: -1 (unlimited)
  • Description: Defines the number of milliseconds within which a user has to change his password after a password reset.

initialPwchangeRequired

  • Data type: boolean
  • Default: true
  • Description: If this parameter is true and the state of a password is "initial" or "set by administrator", the user will be forced to change it after the next login.

lockDisabledForPasswordChangeFailure

  • Data type: boolean
  • Default: false
  • Description: If this parameter is true, the system will not lock the user account, no matter how often the user has entered the wrong account password.

maxCharacterRepetitions

  • Data type: int
  • Default: 4
  • Description: Maximum length of the longest substring made of identical characters. The value should be more than 0. Example: maxCharacterRepetitions=2 means "cool" is allowed, but "coool" is not.

maxCredFailureCount

  • Data type: int (>0) or -1
  • Default: 3
  • Description: Maximum number of login failures before the password is definitely locked. If set to -1, the max. failure counter is disabled.

maxCredSuccessCount

  • Data type: int
  • Default: -1 (unlimited)
  • Description: Maximum number of successful logins before the credential is disabled.

maxCtrl

  • Data type: int
  • Default: 0
  • Description: Maximum number of control characters such as backspace, NUL, etc.

maxLength

  • Data type: int
  • Default: 30
  • Description: Maximum length of a password.

maxNonAscii

  • Data type: int
  • Default: 0
  • Description: Maximum number of non-ASCII characters like umlauts. Some of these characters can be difficult to enter on certain keyboards.

maxNonGraph

  • Data type: int
  • Default: 0
  • Description: Maximum number of non-printing characters such as exotic whitespace, etc.

maxResetCount

  • Data type: int
  • Default: 3
  • Description: Maximum number of password resets before the user needs to call an administrator to set a new password. If you set the number to -1, the check is disabled.

minHistoryEntries

  • Data type: int
  • Default: 10
  • Description: Defines the number of passwords included in the password history check. Whenever a user changes his password, the system compares the new password with the last minHistoryEntries passwords on the user's history list. The user is not allowed to re-use a password from this list.

minHistoryTime

  • Data type: long
  • Default: 86400000 (1 day in milliseconds)
  • Description: Defines the time period covered by the password history check, in milliseconds. Whenever a user changes his password, the system compares the new password with all passwords created within the last minHistoryTime milliseconds. The user may only re-use passwords that are older than this period.

minLength

  • Data type: int
  • Default: 4
  • Description: Minimum length of a password.

minLower

  • Data type: int
  • Default: 1
  • Description: Minimum number of lower-case characters.

minNonAlnum

  • Data type: int
  • Default: 1
  • Description: Minimum number of characters that are neither letters nor numbers.

minNonLetter

  • Data type: int
  • Default: 1
  • Description: Minimum number of characters that are not letters.

minNumeric

  • Data type: int
  • Default: 0
  • Description: Minimum number of numeric characters (numbers).

minUpper

  • Data type: int
  • Default: 1
  • Description: Minimum number of upper-case characters.

notificationEnabled

  • Data type: boolean
  • Default: false
  • Description: Enables user notification (e-mail, SMS, PDF), even if resetCodeLen1=0. If the parameter is set to false and resetCodeLen1=0, no e-mail/PDF will be generated.

passwordLifetime

  • Data type: long (>0)
  • Default: 9936000000 (115 days in milliseconds)
  • Description: Lifetime of a password in milliseconds before a password change is forced. The parameter will be read from the policy at every login, i.e., modifications to the parameter will take effect immediately.

resetCharacterSet

  • Data type: String
  • Default: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
  • Description: The characters used when generating the password. Example without similar-looking characters: 23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ

resetCodeEnabled

  • Data type: boolean
  • Default: false
  • Description: Enable/disable the reset code feature.

resetCodeLen0

  • Data type: int
  • Default: 15
  • Description: Length of the first part of a reset code. This part is returned to the caller in the response (SOAP interface) or shown to the administrator (web GUI).

resetCodeLen1

  • Data type: int
  • Default: 15
  • Description: Length of the second part of a reset code. This part is communicated to the credential's user.

securePasswordChangeDisabled

  • Data type: boolean
  • Default: false
  • Description: Allows or disallows changes to the password via SelfAdmin service without knowing the old one. If enabled, this can be a cross-site request forgery vulnerability. If you enable this parameter, make sure it is intended behavior. In this case, we recommend that you enable the CSRFFilter of nevisProxy.

sendingMethod

  • Data type: Comma-separated list of enums

  • Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, None, or PDFstream alone

  • Default: Email

  • Description: Defines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on).

    Method Email will fail if the user has no e-mail address or the address is invalid. Method SMS_SMTP will fail if the user has no mobile number or the mobile number is invalid. All methods (except None) will fail if the corresponding template is missing or one or more mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks.

    Special sendingMethod for GUI only: PDFstream — after password creation or reset, a transient link appears in the CredentialModify view on the GUI. The link can be used to download the communication PDF. If there is an error at PDF generation, the password's plain value will be lost.

    If PDFstore is configured, the following additional parameter can be defined:

    • PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If not configured, the directory set in nevisidm-prod.properties is used as fallback.

    If SMS_SMTP is configured, the following additional parameters must be defined:

    • SMS_SMTP.smtp.host (mandatory): Host name of the SMTP server. Availability is checked at startup.
    • SMS_SMTP.smtp.port (mandatory): Port of the SMTP server.
    • SMS_SMTP.message.from (mandatory): Sender of the SMS message. Must be a valid e-mail address.
    • SMS_SMTP.message.to (mandatory): Receiver of the SMS message. Must contain the ${phonenumber} placeholder. Example: ${phonenumber}@sms.mycompany.ch.
    • SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway.

    The PDFemail method requires two templates: one e-mail and one OpenOffice template. If PDFemail is configured, the following additional parameter can be defined:

    • PDFemail.htmlEmail (optional, default: false): If true, an HTML e-mail is sent. Otherwise, a plain text e-mail is sent.

storage

  • Data type: String
  • Values: hash, encrypt
  • Default: hash
  • Description: Determines how the password value is stored in the database. If set to hash, the hash of the password value is stored. If set to encrypt, the password value is stored using a configured encryption algorithm.

templatePrecedence

  • Data type: int
  • Default: null
  • Description: The precedence number of the template to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur.

tmpLockingDuration

  • Data type: long
  • Default: 60000
  • Description: Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.

tmpLockingMode

  • Data type: String
  • Values: strict, threshold
  • Default: strict
  • Description:
    • strict: when a temporary locking period is over, the user can try to log in only once before the next temporary locking period activates.
    • threshold: the user can always try tmpLockingThreshold times to log in before the next temporary locking period activates.

tmpLockingThreshold

  • Data type: int (>0) or -1
  • Default: 2
  • Description: Number of login failures before a password is temporarily locked. If set to -1, the temporary lock is disabled.

useAdminChangedStateForForeignPasswordChange

  • Data type: boolean
  • Default: true
  • Description: If set to true, the password will have the state "changed by admin" after reset or creation. If set to false, the state will be "active". This does not apply if the state was explicitly set during the creation of the password credential. Note: this only takes effect when set via web service and the credential state has not been set. It does not take effect when setting via the GUI.

Password dictionary

nevisIDM can be configured to check passwords against a dictionary (see the parameter checkDictionary). When enabled, this check will search the password in the dictionary and, if the password is found therein, refuse it.

This is a way to refuse common (unsafe) passwords ("123456" or words from the English language like "love", "sex", "secret" and "god").

The wordlist in nevisIDM's dictionary is based on the free public Openwall wordlist available on Openwall. Our version includes the English extended, German, Italian and French lists and the common passwords list. For instructions on how to set up your database with this dictionary, see the chapter Database Preparing.

Dictionary customization

You can extend the password dictionary with your own entries.

Passwords are converted to lowercase before checking against the dictionary for disk space reasons. So if you extend the dictionary yourself, make sure that all letters in new entries are in lowercase. This way, "Cats" "CaTs" and "CATS" will all be refused if the dictionary contains "cats". Careful: If you enter "Cats" into the dictionary, none of the above passwords would be refused, not even "Cats".

To add a new entry into the dictionary, use this SQL command structure:

insert into tidmr_password_dictionary values (<ID>, <entry>);

For example, to add "cats" to the dictionary, use

insert into tidmr_password_dictionary values (1234,"cats");

You may have to add a commit; command, depending on your autocommit settings.