A password policy dictates the strength and complexity requirements for a password or passphrase. You can choose or define a policy that fits the needs of your organization.
PingOne allows you to assign password policies to populations and includes three policy types by default. You can customize these policies or create new policies to meet the password requirements for users in the population. For more information, see Password policy comparison.
The default password policies include:
- Standard (default) - The standard password policy incorporates industry best practices for a typical password policy.
- Passphrase - The passphrase policy encourages users to use a passphrase instead of a password for stronger authentication. A passphrase can be easier to remember and more secure because of its length.
- Basic - The basic password policy is a more relaxed standard that allows for maximum customer flexibility. Because users are not required to change their passwords, the basic policy can be less secure.
To view, add, modify, or delete password policies, see Managing password policies.
Password policy comparison
Standard | Passphrase | Basic | |
---|---|---|---|
Contains no sub strings that match user attributes. |
Yes |
Yes |
No |
Not similar to current password. Note:
PingOne checks
the Levenshtein distance between the two passwords to ensure they are
not too similar. The Levenshtein distance counts the number of
characters added to, removed from, or replaced from the old password
to the new password. If the Levenshtein distance is less than 3, then
the password will be rejected as too similar. For example, changing a
password from |
Yes |
Yes |
No |
Not a common password. |
Yes |
Yes |
Yes |
No more than two consecutive repeated characters. For example, |
Yes |
No |
No |
At least five unique characters. |
Yes |
No |
No |
Between 8 and 255 characters. |
Yes |
No |
Yes |
At least one number. |
Yes |
No |
Yes |
At least one lowercase letter. |
Yes |
No |
Yes |
At least one uppercase letter. |
Yes |
No |
Yes |
At least one of the following special characters: ~!@#$%^&*()-_=+[]{}|;:,.<>/? |
Yes |
No |
Yes |
Has a computational complexity of at least seven days based on the Gibson Research Corporation Password Haystacks concept. |
No |
Yes |
No |
Supports all printable UTF-8 characters. |
Yes |
Yes |
Yes |
Allowed failed attempts. |
After five failed attempts, the user is locked out for 15 minutes |
5 |
5 |
Expires |
182 days |
Never |
182 days |