Password policies enforce rules that ensure that access to data is not compromised through negligent password practices.
The PingDirectory server provides mechanisms to create and maintain password policies that determine:
- Whether passwords should expire
- Whether users are allowed to modify their own passwords
- Whether too many failed authentication attempts should result in an account lockout
Many other options are available to fully configure a password policy for your PingData Platform system.
The PingDirectory server provides three out-of-the-box password policies that you can apply to your entries or as templates for configuring customized policies:
- Default password policy
- The default password policy is automatically applied to all users although it is possible to use an alternate password policy on a per-user basis.
- Root password policy
- The root password policy is enforced for the default root user, which uses a stronger password storage scheme (PBKDF2 instead of the salted 256-bit SHA-2 scheme) and requires that a root user provide their current password to select a new password.
- Secure password policy
- The secure password policy provides a more secure option than the default policy that makes use of several features, including password expiration, account lockout, last sign-on time and last sign-on IP address tracking, password history, and several password validators.
Using the Secure password policy as-is might notably increase write load in the server by requiring updates to password policy state attributes in user entries and by requiring users to change passwords more frequently. In environments where write throughput is a concern (including environments spread across multiple data centers requiring replication over a WAN), it might be useful to consider whether the policy should be updated to reduce the number of required entry updates.