Configure the directory password policy

About this task

You need to be either a Global Administrator or Identity Repository Administrator to configure the password policy for your directory users. You will edit the default password policy to assign password requirements, expiration settings and lockout settings.

The PingOne for Enterprise Directory uses HMAC SHA-256 with salt for hashing passwords.

Steps

Go to Setup → Directory Settings → Password Requirements.

Change any of the minimum requirement settings as needed:

Setting	Description
Minimum Length	The minimum number of characters required.
Minimum Uppercase Characters	The minimum number of uppercase characters required.
Minimum Numbers	The minimum number of numbers required.
Minimum Special Characters	The minimum number of special characters required (such as, @ # ! % &).
Block Dictionary Words	If enabled, common dictionary words aren’t allowed as passwords.
Block Prior Passwords	If enabled, previously used passwords aren’t allowed.

Setting

Description

Minimum Length

The minimum number of characters required.

Minimum Uppercase Characters

The minimum number of uppercase characters required.

Minimum Numbers

The minimum number of numbers required.

Minimum Special Characters

The minimum number of special characters required (such as, @ # ! % &).

Block Dictionary Words

If enabled, common dictionary words aren’t allowed as passwords.

Block Prior Passwords

If enabled, previously used passwords aren’t allowed.

Assign any of the password expiration settings as needed:

Setting	Description
Password Duration	The number of days a password remains valid. When set to 0 (zero), passwords will never expire.
First Notification	The user will receive their first notice of an expiring password this number of days before expiration.
Second Notification	The user will receive their second notice of an expiring password this number of days before expiration.
Password Expiry Notifications	When enabled, an email notification is sent to users prior to their password expiring.

Setting

Description

Password Duration

The number of days a password remains valid. When set to 0 (zero), passwords will never expire.

First Notification

The user will receive their first notice of an expiring password this number of days before expiration.

Second Notification

The user will receive their second notice of an expiring password this number of days before expiration.

Password Expiry Notifications

When enabled, an email notification is sent to users prior to their password expiring.

Change any of the account lockout settings as needed:

Setting	Description
Consecutive Failures to Trigger Lockout	The number of consecutive, failed attempts to sign on needed to trigger an account lockout.
Consecutive Failure Timeframe	The length of time a user remains locked out (in minutes).
Lockout Duration	The length of time without user activity (in minutes) that’s needed before the count of failed sign on attempts is reset to zero.
Password Lockout Notifications	When enabled, an email notification is sent to users when their password has expired and they are locked out.

Setting

Description

Consecutive Failures to Trigger Lockout

The number of consecutive, failed attempts to sign on needed to trigger an account lockout.

Consecutive Failure Timeframe

The length of time a user remains locked out (in minutes).

Lockout Duration

The length of time without user activity (in minutes) that’s needed before the count of failed sign on attempts is reset to zero.

Password Lockout Notifications

When enabled, an email notification is sent to users when their password has expired and they are locked out.