Environment
Situation
Question
Can SecureLogin enforce password policies on applications?
Resolution
Answer
Historically, security experts and users have fought a constant password battle. Security experts typically want strong passwords that change often, while users argue the stronger password policies are, the more likely they are to have to write passwords down. Helpdesks share the pain. Not surprisingly, applications with the strongest password policies are the ones that require the most resets.
SecureLogin solves this problem because users no longer need to remember their passwords to applications. Since users no longer need to know them, extremely strong password policies can be enforced. Security experts and users are finally talking the same language.
SecureLogin can apply a password policy to any application. One policy can be tied to any number of applications but typically, a policy is created for each application separately. Policies can enforce min and max number of characters and numbers, whether the password can contain uppercase and lowercase and how many of each, whether they can contain punctuation characters etc.
Application owners are typically asked what their current password policy is and a SecureLogin password policy is created to match it. Password policies are tied to applications using the RestrictVariable command. The command should be placed at the top of the script.
RestrictVariable $Password YahooPwdPolicy
RestrictVariable $UserID YahooUserPolicy
In addition, when passwords expire, the SSO administrator can choose which applications users chose a password for and which are generated randomly by SecureLogin. Password policies are centrally configured and administered using the MMC snapin in Active Directory environments, ConsoleOne in Novell Directory environments or SecureLogin Manager in other environments.
Password policies should be named so they are easy to follow. For example, a Groupwise password policy should be called GroupwisePwdPolicy and a username policy should be GroupwiseUserPolicy.
If an application enforces a policy on the Username (e.g. must be all UPPERCASE) you can create a password policy and restrict it to the $Username (or $UserID) variable.