PingOne

Password policies

A password policy dictates the strength and complexity requirements for a password or passphrase. You can choose or define a policy that fits the needs of your organization.

PingOne allows you to assign password policies to populations and includes three policy types by default. You can customize these policies or create new policies to meet the password requirements for users in the population. Learn more in the Password policy comparison table.

The default password policies include:

  • Standard (default): The standard password policy incorporates industry best practices for a typical password policy.

  • Passphrase: The passphrase policy encourages users to use a passphrase instead of a password for stronger authentication. A passphrase can be easier to remember and more secure because of its length.

  • Basic: The basic password policy is a more relaxed standard that allows for maximum customer flexibility. Because users are not required to change their passwords, the basic policy can be less secure.

Learn more about viewing, adding, modifying, or deleting password policies in Managing password policies.

Password policy comparison

Standard Passphrase Basic

Password Requirements

Not the same as current password (always enabled).

Yes

Yes

Yes

Is not an exact match for any of the attribute values in the user profile.

Yes

Yes

No

Not similar to current password.

PingOne checks the Levenshtein distance between the two passwords to ensure they are not too similar. The Levenshtein distance counts the number of characters added to, removed from, or replaced from the old password to the new password. If the Levenshtein distance is less than 3, then the password will be rejected as too similar. For example, changing a password from kitten to smitten would have a Levenshtein distance of 2, and be rejected as too similar.

Yes

Yes

No

Not a common password.

Yes

Yes

Yes

Has a computational complexity of at least 7 days, based on the Gibson Research Corporation Password Haystacks concept.

No

Yes

No

No more than two consecutive repeated characters.

For example, good-apple is acceptable but goood-appple is not.

Yes

No

No

At least five unique characters.

Yes

No

No

Between 8 and 255 characters.

Yes

No

Yes

At least one of the following special characters:

~!@#$%^&*()-_=+[]\{}|;:,.<>/?

Yes

No

Yes

At least one number.

Yes

No

Yes

At least one uppercase letter.

Yes

No

Yes

At least one lowercase letter.

Yes

No

Yes

No more than two or three sequential numbers (configurable).

For example, 123 or 432 are not acceptable if set to 2, but would be acceptable if set to 3.

No

No

No

No more than two or three sequential letters (configurable).

For example, abc or dcb are not acceptable if set to 2, but would be acceptable if set to 3.

No

No

No

No more than three sequential QWERTY keyboard characters.

For example, qwer, rewq, zxcv, or vcxz are not acceptable.

No

No

No

No more than three sequential symbol row characters.

For example, ~!@# or #@!~ are not acceptable.

No

No

No

Supports all printable UTF-8 characters.

Yes

Yes

Yes

Password Policy Rules

Previous passwords maintained in history for 1 year.

6

6

None

Expires

182 days

Never

182 days

User can change their password after.

1 day

1 day

Never

Account Lockout Rules

Allowed failed attempts.

After five failed attempts, the user is locked out

5

5

Automatic unlock period.

Accounts locked after maximum failed attempts are unlocked after 15 minutes

15 minutes

15 minutes