Configuring Passwords

The password requirements uses a regular expression to specify the number and type of characters that should be used in a password. The password strength shows whether a password contains repeated blocks of characters, or sequences of characters that might be easy to guess.

You must choose a strength setting appropriate for the password requirement setting.

Password Requirements

Note

Rubicon’s standard configuration of Account Management specifies that passwords must have at least 8 alphanumeric characters. This is NOT currently one of the options described below, but it will be available as an option in a future release.

The following built-in options are available as password requirements. You must choose one of these options:

Property	Description
PIN	Exactly four digits. Note that this setting is available for backward compatibility with existing systems, but it is not recommended.
Regular strength alphanumeric	Between 7 and 12 characters. These can include letters, digits and underscores. They may not include spaces or punctuation.
Strong alphanumeric	Between 8 and 16 characters. These can include letters, digits and punctuation marks. They MUST include: At least one lower case letter At least one upper case letter At least one digit

Property

Description

Exactly four digits. Note that this setting is available for backward compatibility with existing systems, but it is not recommended.

Regular strength alphanumeric

Between 7 and 12 characters. These can include letters, digits and underscores. They may not include spaces or punctuation.

Strong alphanumeric

Between 8 and 16 characters. These can include letters, digits and punctuation marks.

They MUST include:

At least one lower case letter
At least one upper case letter
At least one digit

What is a Custom requirement?

A custom requirement uses one of the built-in requirement expressions, but has a customised description. If you choose a built-in requirement and edit the Requirements Description, the Requirements setting will change to Custom.

A custom requirement does NOT have a custom requirements expression. You cannot create your own requirements expressions. If you need a different password expression, please contact Rubicon Support.

Password Strength

Password strength is determined using a standard calculation that takes into account predictable patterns in passwords such as repeated characters (for example "aaa") or sequences of consecutive characters (for example "abc"). See the Password Meter website for an interactive password strength testing tool.

Note

Results of the Password Meter tests may differ slightly from the test applied by Rubicon.

Set the password strength to prevent users from choosing a password that is too simple. When a user chooses a new password, the strength is displayed beside the password field as a guide.

Caution

The password strength calculation is independent of the requirements expression that you have chosen and could potentially cause a conflict.

Make sure that you do not set a minimum strength that is too high for the type of password you are using. For example, if you choose a simple password pattern, such as a four digit PIN, it is not possible to choose a password that is stronger than 10%. If you set the required strength higher than this, it will be impossible for users to choose an acceptable PIN.

Other Password Restrictions

Caution

If you select these additional restrictions, be sure to create a custom requirements description to make customers aware of your password policies. Otherwise, they may be confused when creating new passwords.

You can set properties of the authentication group to place the following restrictions on passwords:

Password re-use - prevent users from re-using recent passwords by setting the Reuse Limit. For example, if this is set to 3, a user may not re-use any of their previous three passwords as their new password.
Personal details - prevent users from using personal details such as their name as a password by setting the Party Details Check.
The fields checked are:
- Username
- Surname
- Given name
- Preferred name
- Address
- Pager phone number (such as mobile number)
- Phone number
- Customer number
- User number
If this option is selected, passwords may not contain any words of more than one character from these fields. (Note that a 'word' in this context is a group of characters separated by punctuation or white space and is not case sensitive.)
For example:
If your name was "Joe B Bloggs", you could not use "JOE" or "bloggs" in your password.
If your phone number was "12-345-6789" you could not use 12, 234 or 6789

See Configuring Authentication Group Settings for a list of configuration options.