You can use the Server SDK to create custom password validators with the constraints necessary for your environment.

Password Validators
Password Validators Description

Attribute Value

Ensures that the proposed password does not match the value of another attribute in the user’s entry. You can configure the validator to look in all attributes or in a subset of attributes. It can perform forward and reverse mapping and reject values that are substrings of another attribute.

Character Set

Ensures that the proposed password contains a sufficient number of characters from one or more user-defined character sets. For example, the validator can ensure that passwords must have at least one lowercase letter, one uppercase letter, one digit, and one symbol.

Commonly-Used Passwords Dictionary

Ensures that the proposed password is not one of 10,000 commonly used passwords. These are words that are common for attackers to use when trying to access user accounts. The Commonly-Used Passwords validator is invoked by the Secure Password Policy by default. The word list is located in <server-root>/config/commonly-used-passwords.txt. While it can be used to create a custom validator, it should not be modified.

Dictionary

Ensures that the proposed password is not present in a specified dictionary file, optionally also testing the password with all characters in reverse order. A large dictionary file is provided with the server, but the administrator can supply an alternate dictionary. In this case, the dictionary must be a plain-text file with one word per line.

Haystack Password Validator

Ensures that the proposed password is secure based on a combination of its length and the types of characters that it contains. For example, a longer password containing only lowercase letters might be stronger than a shorter password containing a mix of uppercase and lowercase letters, numbers, and symbols. This is based on the Gibson Research Corporation Password Haystacks concept.

Length-Based Password Validator

Ensures that the number of characters in the proposed new password is within an acceptable range. Both a maximum and minimum number of characters can be specified.

Pwned Passwords Password Validator

Can be used to prevent users from choosing passwords that are known to have been compromised. By default, it checks with the free Pwned Passwords service, which includes a database of hundreds of millions of compromised passwords although it can be used with any other service that uses a compatible API.

Regular Expression Validator

Ensures that a proposed password either matches or does not match a given regular expression.

Repeated Characters

Ensures that a proposed password does not contain a substring in which the same character is repeated more than a specified number of times (for example, "aaaaa" or "aaabbb"). You can configure the validator to operate in a case-sensitive or case-insensitive manner, and you can also define custom sets of equivalent characters, such as defining all digits as equivalent so the proposed password could not contain more than a specified number of consecutive digits.

Similarity-Based Password Validator

Ensures that the proposed new password is not too similar to the current password, using the Levenstein Distance algorithm, which calculates the number of characters that need to be inserted, removed, or replaced to transform one string into another.

Note:

For this password validator to be effective, you must have access to the user's current password. If this password validator is enabled, the password-change-requires-current-password attribute in the password policy configuration must also be set to true.

Unique Characters

Ensures that the proposed password contains at least a specified minimum number of unique characters, optionally using case-insensitive validation.