Configuring Password Policies

Configuring password policies helps improve 3DEXPERIENCE platform security by enforcing password complexity and expiration policies, and helps to prevent password and identity theft.

This task shows you how to:

Configure Password Format Policy

You can configure users password formats and how to calculate their strength. For security reasons, users passwords should comply with a set of rules.

  1. Click Security, then the Password Management tab.

    The upper area of the page contains password format policy parameters:

  2. Configure the passport format policy.

    The possible values for each parameter are summed up in the following table:

    ParameterTypeDescriptionRecommended value
    Allow password to contain username Check box If checked, a user's password can contain the user's username. Not checked
    Allow password to contain first name Check box If checked, a user's password can contain the user's first name. Not checked
    Allow password to contain last name Check box If checked, a user's password can contain the user's last name. Not checked
    Minimum length Integer The minimum number of characters in a password. Default = 8. >=8
    Minimum number of digits Integer The minimum number of digits that a password should contain. Default = 1. >=1
    Minimum number of letters Integer The minimum number of letters a password should contain. Default = 1. >=1
    Minimum number of lowercase letters Integer The minimum number of lowercase characters that a password should contain. Default = 1. >=1
    Minimum number of uppercase letters Integer The minimum number of uppercase characters that a password should contain. Default = 1 >=1
    Minimum number of special characters Integer The minimum number of special characters selected from the list below that a password should contain. Default = 0. 0
    Special characters allowed List List of special characters that a password can contain. Choose the required characters from a predefined list.

    The list contains the following characters:

    !#=@[\]^_{|}$%&()*+-
    All
    Note: Once a new password format policy is created, existing passwords will not be checked.

  3. Click Apply.

    When an end user fills in the password and confirm password fields, a check list will be displayed containing the configured rules. This check list will be updated dynamically as the end user types to allow the user to see which rules still have to be followed. Registration of the passport is authorized only once all rules have been followed.

Configure Password Renewal Policy

For security purposes (for example, to prevent identity theft), users may renew their password regularly, and their new password must follow specific rules.

  1. Click Security, then the Password Management tab.

    The lower area of the page contains Password renewal policy parameters:

  2. Click the Enable Password Renewal Policy option.

    This activates additional parameters:

    Parameter Type Description Recommended value
    Age limit (in days) Positive Integer Maximum number of days a user can use the same password. If this field is empty or negative, passwords have no age limit. Default is 180. 180
    Minimum age (in days) Positive Integer Minimum number of days during which a user cannot change the newly created password. If empty, users can change their password whenever they wish. Default = Empty. Empty
    Remind user before (in days) Integer A reminder is sent to the user the specified number of days before the user's password expiration date. If left empty, users will not be warned that their password is about to expire. Default = 7. 7
    Allow password reuse Check box If checked, users can use old passwords when resetting them. As a consequence, if this option is checked, the Password history length disappears and is not taken into account. Default = not checked. Not checked
    Password history length Strictly positive Integer The maximum number of passwords remembered per user. This field is only taken into account when Allow password reuse is not checked. Default = 5. 5
    Note:

    A password renewal policy applies to all users stored in the local database. As far as users from external repositories are concerned, Age Limit and Minimum Age can only be enforced for the users with the following configurations:

    • users are identified on repositories that send back to the 3DPassport information about the last time the user changed the password
    • users are identified on repositories which do not send back information about the last time the password was changed but they allow password synchronization. In this case, we will use the user's first connection date with the given password as a replacement for the date corresponding to the last password update time.

    Allow password reuse is only enforced for the repositories that allow password synchronization.

    The administrator can check the timestamp logged for a user's password. When searching for users, this information is provided by the Password creation time field. It is also a Linux timestamp.

LDAP configuration

You can obtain the last time the user changed a password in the LDAP server by specifying the name of the field holding this information on the LDAP side: Password last update time in your LDAP.

Set this field to: pwdlastset:WinTimeFormat.

Configure Application Password

You can enable the Application Password to allow users to create their application password.

  1. In the Application Password section, Enable Application Password.
  2. Optional: Enable Application Password age settings.

    If you want to give the choice between an unlimited Application Password and limited one select the Allow unlimited Application Password check box.

    Fill in the fields:

    • Age limit: maximum age of a password.
    • Expiration type: months or days.
    • Remind user before (in days): Sending a reminder notification email to a user N days before its expiration.

  3. Click Apply.