PingOne for Enterprise

Configure the directory password policy

About this task

You need to be either a Global Administrator or Identity Repository Administrator to configure the password policy for your directory users. You will edit the default password policy to assign password requirements, expiration settings and lockout settings.

The PingOne for Enterprise Directory uses HMAC SHA-256 with salt for hashing passwords.

Steps

  1. Go to Setup → Directory Settings → Password Requirements.

  2. Change any of the minimum requirement settings as needed:

    Setting Description

    Minimum Length

    The minimum number of characters required.

    Minimum Uppercase Characters

    The minimum number of uppercase characters required.

    Minimum Numbers

    The minimum number of numbers required.

    Minimum Special Characters

    The minimum number of special characters required (such as, @ # ! % &).

    Block Dictionary Words

    If enabled, common dictionary words aren’t allowed as passwords.

    Block Prior Passwords

    If enabled, previously used passwords aren’t allowed.

  3. Assign any of the password expiration settings as needed:

    Setting Description

    Password Duration

    The number of days a password remains valid. When set to 0 (zero), passwords will never expire.

    First Notification

    The user will receive their first notice of an expiring password this number of days before expiration.

    Second Notification

    The user will receive their second notice of an expiring password this number of days before expiration.

    Password Expiry Notifications

    When enabled, an email notification is sent to users prior to their password expiring.

  4. Change any of the account lockout settings as needed:

    Setting Description

    Consecutive Failures to Trigger Lockout

    The number of consecutive, failed attempts to sign on needed to trigger an account lockout.

    Consecutive Failure Timeframe

    The length of time a user remains locked out (in minutes).

    Lockout Duration

    The length of time without user activity (in minutes) that’s needed before the count of failed sign on attempts is reset to zero.

    Password Lockout Notifications

    When enabled, an email notification is sent to users when their password has expired and they are locked out.