Recommended password validator configuration
To help ensure that users choose strong passwords, configure the following password validators for add, modify, and password modify operations.
-
A length-based password validator with a minimum length of ten characters.
-
A dictionary password validator configured to use
config/wordlist.txtA
. -
A dictionary password validator configured to use
config/commonly-used-passwords.txt
. -
A dictionary password validator configured to use a custom dictionary with banned words that relate to the company and its products or services, as well as any other banned passwords that are not included in dictionaries shipped with the PingDirectory server.
-
The Pwned Passwords validator that prohibits passwords from known data breaches.
-
An attribute value password validator that rejects passwords matching attribute values.
-
A similarity-based password validator that rejects new passwords that are too similar to the current password.
-
A unique characters password validator that requires passwords to contain at least five unique characters.
We also recommend periodically invoking the following password validators for bind operations:
-
The Pwned Passwords validator that prohibits passwords from known data breaches.
-
The dictionary validator that uses the custom banned password file if you intend to update it on a regular basis with new banned passwords.
Consider forcing users to change their passwords if validation fails during a bind operation.