Using SecureLogin to enforce a password policy on an application that is stronger than the current password policy

  • 7940150
  • 19-Aug-2009
  • 07-Jan-2014


SecureLogin SSO
All Versions
MS AD, LDAP, NT4, Citrix, Terminal Services



Customer SSO enabled the Finance application. They handled logon, invalid username, invalid password, change password and account locked. For security reasons, the application owner would like to change the password policy to 8 characters, with at least 2 numbers.

Previously, users would have objected but since SecureLogin is now remembering and entering the password, the new policy is going to be implemented using SecureLogin when the application is SSO enabled.

The customer created a SecureLogin password policy called FinancePwdPolicy that requires 8 characters and 2 numbers (the current one is 6 characters) and used the RestrictVariable command to tie it to the application as per the following:

RestrictVariable $Password FinancePwdPolicy

However, with the policy enforced in this way, all users that have a current password weaker than the new policy would be unable to save their password when the application prompts them (the first time the application runs after SSO is enabled).

For example, the user’s current password is ""monday"". If you implemented the RestrictVariable command above, the policy would not allow the user to enter their current password when SecureLogin first prompts them to save their credentials.



SecureLogin is working as designed. Because the $Password has been associated with a policy, all $Password values, including the user’s current password policy, must meet the password policy.

The customer must restrict new passwords to the new policy whilst allowing users to enter and use their current password until the password is next changed, even if it is weaker than the desired policy.


Using SecureLogin, you can enforce a stronger password policy than what is currently in place or that can be enforced natively by the backend application.

The solution is to enforce the existing password policy on the current password and the strong password policy on any NEW passwords. Password policies should be inserted at the top of the script.

RestrictVariable $Password CurrentPwdPolicy 
RestrictVariable ?NewPass 8Character2NumberPwdPolicy

Using this method with a new variable called ?NewPass, users are able to save their current password and when the password next changes, it must meet the strong password policy. The ChangePassword portion of the script would be similar to;

#========================# # Change Password Prompt # #========================# 
Title ""Change Password"" 
Class #32770 
Type $Password #1003 
ChangePassword ?NewPwd ""Please enter a new password. It must be min 8 characters & contain min 2 numbers."" 
Type ?NewPwd #1004 
Type ?NewPwd #1005 
Click #1 
# Change Password Successful Message # 
Title ""Change Password"" 
Class #32770 
Ctrl #65535 ""Password Changed Successfully."" 
# Clear the message and save the password to ADS # 
Click #2 
Set $Password ?NewPwd 
MessageBox ""Your password was changed successfully. It will be remembered by SecureLogin for future logons.""

When the Change Password prompt is detected the old password is entered into the old password field.

The user is prompted to enter a new password and the new password is entered into the ""New Password:"" and ""Verify New Password: fields. The ?NewPwd variable is used to change the password to a temporary variable and the strong password policy is applied from the RestrictVariable command.

The password is saved if the change was successful (if it fails, $Password is never updated)