Overview#Password Policy is a Policy that governs the Password within a system.
Typically there are two major areas that should be covered:
- Password Authentication Policy - enforced during Password Authentication
- Password-composition Policy - enforced while users are doing Password Changes
LDAP and Password Policy#The typical Directory Server Password Policy provides a mechanism for controlling how passwords will be stored and maintained in the server, and how users will be allowed to authenticate.
Typical Elements of a password policy include:
- The attribute used to store user passwords. By default, this is the userPassword attribute.
- The default set of password storage schemes that will be used to encode passwords stored in the server.
- A set of deprecated Password Storage Scheme that may be used to authenticate users, but will cause the password to be re-encoded using the default scheme(s) upon a successful bind.
- A flag that indicates whether users will be allowed to change their own passwords.
- A number of settings related to password expiration, including the maximum age for passwords, warnings before expiration, and whether users will be allowed to change their passwords after they expire.
- A number of settings related to Account Lockout, which can be used to prevent users from authenticating after too many failed attempts.
- Flags that indicate whether users will be required to change their passwords the first time they authenticate and/or whether they will be required to change their passwords after they have been reset by an administrator.
- A set of password validators that can be used to determine whether proposed new password values are acceptable for use.
- A flag that indicates whether users will be required to provide their current passwords to be allowed to change their passwords.
- A flag that indicates whether clients will be allowed to specify new passwords that have already been encoded using one of the password storage schemes defined in the server. Allowing pre-encoded passwords may be necessary for some applications, but may allow the user to bypass certain restrictions, like password validators, that might otherwise be enforced.
- Settings related to maintaining the Last Login Time, including the attribute to use to store its value, the format to use for the time stamp, and whether to lock an account after too much time has elapsed without authenticating.
- Flags that control whether the user will be required to authenticate in a secure manner and/or whether they will be required to change their passwords in a secure manner.
More Information#There might be more information for this subject on one of the following:
- AD Determining Password Expiration
- Account Expiration
- Account Lockout
- Account Restrictions
- Best Practices for LDAP Security
- Common Edirectory Bind Errors
- EDirectory Password Expiration
- Edirectory Password Policy
- Glossary Of LDAP And Directory Terminology
- Grace Logins
- Intruder Detection
- Password Authentication Policy
- Password Authentication is Broken
- Password Change
- Password Expiration
- Password Grace Authentication
- Password History
- Password Management
- Password Maximum Age
- Password Policy Administrator
- Password Quality
- Password Statistics
- Password Validator
- Password Validity Policy
- Password-composition Policy
- Passwords Composition
- SCIM Password Management Extension
Add new attachment
Only authorized users are allowed to upload new attachments.