Skip to main content
Version: 2.90.x.x Java 8 ELS

Password

This table lists the policy parameters specific to passwords.

In addition to the policy parameters defined in this table, the policy parameter defined in [the table] is also valid for password credentials.

NameData Type, ValuesDefaultDescription
allowLoginIdInPasswordData type: booleantrueDetermines whether the password may contain the user login ID. A case-insensitive check is performed upon creation.
checkDictionaryData type: booleantrueDetermines whether to look up the password in the dictionary (see the chapter Password dictionary) upon creation.
credentialLifetimeData type: long (>0)10 years in millisecondsThe time to live (in milliseconds) of the password credential. After the defined period of time, the user will not be able to log in with this password anymore.
hashAlgorithmData type: enum Values: bcrypt, SSHA256, SSHASSHA256Defines the hash algorithm used for password hashing. Supported are salted SHA-1 (SSHA), salted SHA-256 (SSHA256) and bcrypt (bcrypt).nevisIDM 2.21.2.0, SSHA has been marked as deprecated because collision attacks faster than brute force attacks have been found. Additionally, the default of nevisIDM has changed to SSHA256. Note that changing this parameter is fully backward compatible. Only newly created passwords are hashed with the defined algorithm.
hashAlgorithm.bcrypt.costData type: int12The cost factor defines how many rounds should be used to create a bcrypt hash. The cost factor should be chosen according to the hardware used and may have to be adjusted over time. The computing time grows exponentially with the cost factor. (2cost iterations).
initialPwchangePeriod.adminChangedData type: long-1, which means unlimitedDefines the number of milliseconds within which a user has to change his password after an administrator change. Only effective when initialPwchangeRequired=true.
initialPwchangePeriod.initialData type: long-1, which means unlimitedDefines the number of milliseconds within which a user has to change his initial password. Only effective when initialPwchangeRequired=true.
initialPwchangePeriod.resetCodeData type: long-1, which means unlimitedDefines the number of milliseconds within which a user has to change his password after a password reset.
initialPwchangeRequiredData type: booleantrueIf this parameter is true and the state of a password is "initial" or "set by administrator", the user will be forced to change it after the next login.
lockDisabledForPasswordChangeFailureData type: booleanfalseIf this parameter is true, the system will not lock the user account, no matter how often the user has entered the wrong account password.
maxCharacterRepetitionsData type: int4Maximum length of the longest substring made of identical characters. The value should be more than 0. Example: maxCharacterRepetitions=2 then password "cool" is allowed, but "coool" is not allowed
maxCredFailureCountData type: int (>0) or -13Maximum number of login failures before a password is definitely locked. If set to "-1", the max. failure counter is disabled.
maxCtrlData type: int0Maximum number of control characters such as backspace, NUL, etc.
maxLengthData type: int30Maximum length of a password.
maxNonAsciiData type: int0Maximum number of non-ASCII characters like umlauts. Some of these characters can be difficult to enter on certain keyboards.
maxNonGraphData type: int0Maximum number of non-printing characters such as exotic whitespace, etc.
maxResetCountData type: int3Maximum number of password resets before the user needs to call an administrator to set a new password. If you set the number to -1, the check is disabled.
minHistoryEntriesData type: int10This parameter defines the number of passwords that are included in the password history check. Whenever a user changes his password, the system compares this new password with the last minHistoryEntries passwords on the user's list of "old" passwords (password history entries). It is not allowed for the new password to equal one of the last minHistoryEntries passwords on the list. In this case, the user must choose another password."Minimum" or "min" in this context refers to the minimum number of password entries that the user has to go back on his password history list until he is allowed to re-use an "old" password.
minHistoryTimeData type: long86'400'000 (1 day)This parameter defines the time period covered by the password history check, in milliseconds. Whenever a user changes his password, the system compares this new password with all passwords he created within the last minHistoryTime milliseconds (e.g., within the last 86'400'000 milliseconds, which means within the last day). It is not allowed for the new password to equal one of these previous passwords. In this case, the user must choose another password."Minimum" or "min" in this context refers to the minimum period of time that the user has to go back in his password history until he is allowed to re-use an "old" password. E.g., if the minHistoryTime is one day (86'400'000 milliseconds), the user may only re-use passwords from his password history list that are at least one day old.
minLengthData type: int4Minimum length of a password.
minLowerData type: int0Minimum number of lower-case characters.
minNonAlnumData type: int0Minimum number of characters that are neither letters nor numbers.
minNonLetterData type: int1Minimum number of characters that are not letters.
minNumericData type: int0Minumum number of numeric characters (numbers).
minUpperData type: int0Minimum number of upper-case characters.
maxCredSuccessCountData type: int-1, which means unlimitedMaximum number of successful logins before the credential is disabled.
notificationEnabledData type: booleanfalseEnables user notification (e-mail, SMS, PDF), even if resetCodeLen1=0. If the parameter is set to "false" and resetCodeLen1=0, no e-mail/PDF will be generated.
passwordLifetimeData type: long (>0)115 days in millisecondsLifetime of a password in milliseconds before a password change is forced. The parameter will be read from the policy at every login, i.e., modifications to the parameter will take effect immediately.
resetCharacterSetData type: String0123456789abcdefghijklmnopqrstuvwxzy
ABCDEFGHIJKLMNOPQRSTUVWXYZ
The characters used when generating the password. Example without similar looking characters:23456789abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ
resetCodeEnabledData type: booleanfalseEnable/disable the reset code feature.
resetCodeLen0Data type: int15Length of the first part of a reset code. This part is returned to the caller in the response (SOAP interface) or shown to the administrator (web GUI).
resetCodeLen1Data type: int15Length of the second part of a reset code. This part is communicated to the credential's user.
securePasswordChangeDisabledData type: booleanfalseAllows or disallows changes to the password via SelfAdmin service without knowing the old one. If enabled, this can be a cross-site request forgery vulnerability. If you enable this parameter, make sure it is intended behavior. In this case, we recommend that you enable the CSRFFilter of nevisProxy.
sendingMethodData Type: comma-separated list of enums Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, None OR PDFstream aloneEmailDefines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on).
Method "Email" will fail if the user has no e-mail address or the address is invalid. Method "SMS_SMTP" will fail if the user has no mobile number or the mobile number is invalid. All methods (except None) will fail if the corresponding template is missing or one or more of the mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks.
Special sendingMethod for GUI: "PDFstream"This sendingMethod cannot be part of a fallback list. After password creation or reset, a transient link appears in the CredentialModify view on the GUI. The link can be used to download the communication PDF. If there is an error at PDF generation, the password's plain value will be lost, rendering the credential unusable for the owner. The same happens when the user leaves the view without clicking on the link.
If "PDFstore" is configured, the following additional parameters can be defined:
    PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If the parameter is not configured, the destination directory set in the configuration nevisidm-prod.properties will be used as fallback.
If "SMS_SMTP" is configured, the following additional parameters have to be defined:
    SMS_SMTP.smtp.host (mandatory): host name of the SMTP server. During the startup, the availability of the configured SMTP server is checked.
    SMS_SMTP.smtp.port (mandatory): port of the SMTP server.
    SMS_SMTP.message.from (mandatory): Sender of the SMS message. It has to be a valid e-mail address.
    SMS_SMTP.message.to (mandatory): Receiver of the SMS message. It has to contain the "${phonenumber}" placeholder. For example: ${phonenumber}@sms.mycompany.ch.
    SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway.
The sending method "PDFemail" requires two templates: one e-mail and one OpenOffice template. If either of the templates is missing, the PDF sending will fail. The credential value will be propagated only to the PDF document. If "PDFemail" is configured, the following additional parameter can be defined:
    PDFemail.htmlEmail (optional, default: false): If the parameter is "true", an HTML e-mail will be sent. Otherwise, a plain text e-mail will be sent.
templatePrecedenceData type: intnullThe precedence number of the template we want to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur.
tmpLockingDurationData type: long60000Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.
tmpLockingModeData type: String Values: strict, thresholdstrict
    strict: When a temporary locking period is over, the user can try to log in only once before the next temporary locking period activates.
    threshold: The user can always try "tmpLockingThreshold" times to log in before the next temporary locking period activates.
tmpLockingThresholdData type: int (>0) or -12Number of login failures before a password is temporarily locked. If set to "-1", the temporary lock is disabled.
useAdminChangedStateForForeignPasswordChangeData type: booleantrueIf set to true, the password will have the state "changed by admin" after reset or creation. If set to false, the state will be "active". This does not apply if the state was explicitly set during the creation of the password credential. Note: this only takes effect when set via web service and the credential state has not been set. It does not take effect when setting via the GUI.

Password dictionary

nevisIDM can be configured to check passwords against a dictionary (see the parameter checkDictionary in the previous table). When enabled, this check will search the password in the dictionary and, if the password is found therein, refuse it.

This is a way to refuse common (unsafe) passwords ("123456" or words from the English language like "love", "sex", "secret" and "god").

The wordlist in nevisIDM's dictionary is based on the free public Openwall wordlist available on Openwall. Our version includes the English extended, German, Italian and French lists and the common passwords list. For instructions on how to set up your database with this dictionary, see the chapter Database Preparing.

Dictionary customization

You can extend the password dictionary with your own entries.

Passwords are converted to lowercase before checking against the dictionary for disk space reasons. So if you extend the dictionary yourself, make sure that all letters in new entries are in lowercase. This way, "Cats" "CaTs" and "CATS" will all be refused if the dictionary contains "cats". Careful: If you enter "Cats" into the dictionary, none of the above passwords would be refused, not even "Cats".

To add a new entry into the dictionary, use this SQL command structure:

insert into tidmr_password_dictionary values (<ID>, <entry>);

For example, to add "cats" to the dictionary, use

insert into tidmr_password_dictionary values (1234,"cats");

You may have to add a commit;-command, depending in your autocommit settings.