# RapidIdentity Administrators' and Users' Guide

• Policies

• Syntax

Navigate to Configuration > Policies > Authentication > Password.

You can create a new policy by clicking the + symbol beneath the listed policies. You can use the Password Policy Manager to create, edit, or delete Custom Policy, modify the Default Policy, or even replace the Default Policy with a Custom Policy.

There are three available tabs on this screen: General, Password Syntax, and Restricted Passwords.

### Note

The system evaluates all custom policies' "Affected Users" specifications for a match from top to bottom when deciding which password policy to use for a particular user. If none of the custom policies apply to the user, the Default Policy is used, regardless of where it appears in the list.

Table 62. Password Policy Manager - General Tab

Section

Field

Description

General

Name

Give the policy a name that makes the policy easy to identify. This will be displayed to the user when they are prompted to create a password. (After the policy has been saved, an ID will show up above this field that represents the policy's unique identifier within the system.)

Description

This will also be displayed to the user when they are prompted to create a password. Administrators can use basic HTML formatting to ensure the message is easy to read and understand.

Enabled

Select this checkbox to enable the policy for all applicable users.

Default Policy

Select this checkbox to change this policy to the default. When checked, the Affected Users section will be hidden, and the existing Default Policy will be converted to a Custom Policy.

Affected Users

Access Control

Choose whether to filter this policy by Attributes, Roles, or None. If Attribute-based or Role-based is chosen, you will need to set the attribute or role to be used for this feature. (This field is only visible for custom policies.)

Allow Password Reset to Attribute Value

Select this checkbox to enable users to reset other users' passwords to a Default value. With this enabled, choose which user attribute will provide that value (phone number, username, etc.)

Select this checkbox to allow passwords governed by this policy to be reset to random values when performing delegated or self-service password reset.

Select this checkbox to choose whether the "User Must Change Password At Next Login" option is automatically selected when delegated administrators change the password for other users associated with this policy.

Section

Field

Description

General

Define the minimum and maximum number of characters required for the current Password Policy.

### Note

Setting the minimum length to 0 means RapidIdentity will not enforce a minimum length, and setting the maximum length to 0 means RapidIdentity will not enforce a maximum length for new passwords for users within this policy.

If both values are greater than zero, the Minimum Length character count must be less than or equal to the Maximum Length character count.

Regular Expression for Allowed Characters

Insert a string to enforce further password complexity rules as needed. This can force include or force exclude certain characters at the creation of password for users that qualify for this policy.

Character Sets to Meet

Number of Character Sets as defined in the next section that the password must meet to match the requirements of this policy.

### Note

Upon clicking Save, any number entered here that is greater than the number of nonzero Character Sets will revert to the total number of nonzero Character Sets, with a maximum of 5.

Pressing this button changes the Password Length Minimum to 7 and Character Sets to Meet to 3. These are the default Password Complexity requirements as set by the AD industry standard.

Character Sets

Uppercase Letters

Define the minimum and maximum number of Uppercase Letters (A-Z) that must be included. Setting or keeping this field as 0 will not require this character set in the new password, but still may allow it.

Lowercase Letters

Define the minimum and maximum number of Lowercase Letters (a-z) that must be included. Setting or keeping this field as 0 will not require this character set in the new password, but still may allow it.

Numbers

Define the minimum and maximum number of Numbers (0-9) that must be included. Setting or keeping this field as 0 will not require this character set in the new password, but still may allow it.

Special Characters

Define the minimum and maximum number of Special Characters (i.e., !"#\$%&'()*+,-./:;=?@[\]^_{|}~) that must be included. Setting or keeping this field as 0 will not require this character set in the new password, but still may allow it.

Unicode Characters

Define the minimum and maximum number of Unicode Characters that must be included. Setting or keeping this field as 0` will not require this character set in the new password, but still may allow it.

Section

Field

Description

Match by Text

Case Sensitive Match

Check this box to enforce case sensitivity against any Restricted Passwords defined below.

Full Match

Check this box to restrict any phrases that fully match any of the Restricted Passwords defined below.

Click +Add Another to include any words and phrases that are to be restricted from use in a user's password.

### Note

Excessively long lists in this field can cause usability or performance issues.

Match by Regular Expression

Click +Add Another to include any regular expressions that are to be restricted from use in a user's password.

### Note

Excessively long lists in this field can cause usability or performance issues.

Match by Attribute Value

Case Sensitive Match

Check this box to enforce case sensitivity against any Restricted Attribute Values defined below.

Full Match

Check this box to restrict any Attributes that fully match any of the Restricted Passwords defined below.