This week’s blog builds on the entry last week https://blog.clickstudios.com.au/bad-passwords-pwned-accounts-and-prevention/.
Now that you’ve decided to block the use of Bad Passwords in your organization, using the Bad Passwords feature in Passwordstate, you can take the next step and setup Password Strength Policies and ensure your randomly generated passwords, using Password Generator Policies, match these.
What are Password Strength and Password Generator Policies?
Aren’t they the same thing and we’re just using two different terms to confuse you? No…. they are similar sounding but have distinct purposes.
A Password Strength Policy represents the rules for determining the strength of a password. This is where you would effectively copy or represent the attributes that your organization’s password rules use. It enables you to specify the mixture of alphanumeric characters, case, special characters and length a password must conform to. It provides an indication of the strength of a password, works with the Password Generator Policy and is applied to one or more Password Lists.
A Password Generator Policy is similar in that you specify the mixture of alphanumeric characters, case etc. but not the specifics such as the required number of alphanumeric characters, case, special characters etc. It is used to generate random passwords, in accordance with the specified strength policy.
Both Password Strength and Password Generator Policies are applied at the Password List level. So… for any Password List, the password for a record will be generated using the Password Generator Policy, in accordance with the rules stipulated by the Password Strength Policy.
How do you setup a Password Strength Policy?
First navigate to Administration->Password Strength Policies and click Add beneath the grid. Alternatively, if the policy already exits then click on the policy name you wish to edit. In our example the Complex Passwords policy already exists so I’m going to edit it. This brings up the Edit Password Strength Policy screen and I’ve selected the policy settings tab. From here you can name, describe and provide the password attributes that your organization has stipulated must be used in a password. These typically include the use of upper and lower case characters, numbers, special characters and length.
In the example below, Complex Passwords, we’ve stipulated that each password that is used must include 2 UpperCase, 2 LowerCase and 2 Numeric characters and the preferred length is 12.
In addition, we’ve specified the Password Strength Compliance as needing to be Excellent and that Compliance is Mandatory.
With Excellent you must meet the rules for the mixture of alphanumeric characters, case, special characters and length as stated in the policy. You can elect to use other strength compliance modes in the drop-down list if desired. If Compliance is set to Mandatory then the new password is unable to be saved unless it meets the strength compliance category that had been selected.
On the test password strength tab you can test the policy settings you have stipulated by typing in a password and it’ll give you feedback on where you’re falling short compared to the rules you’ve setup.
How do you setup a Password Generator Policy?
Navigate to Administration->Password Generator Policies and click Add beneath the grid. Again, if the policy already exits then click on the policy name you wish to edit. In our example the Custom Strong Click Studios Generator policy already exists so again I’m going to edit it. This brings up the Edit Password Generator Policy screen and I’ve selected the alphanumerics & special characters tab. From here you can specify the minimum and maximum length of the passwords, select the alphanumerics attributes that your organization uses, include specific special characters and decide if you wish to use a specific pattern for your passwords.
In the example below, we’ve stipulated that each password that is generated will be between 10 and 20 characters, includes UpperCase, LowerCase Numbers, and special characters.
You’ll note that while the alphanumerics section states what type of characters to include there is no minimum setting for any of these. The minimum number of each attribute is taken from the Complex Passwords Strength Policy that I’ve created.
On the word phrases tab you can optionally include word phrases as part of the generated password;
and you can also generate passwords in bulk on the generate passwords tab.
Can you access both via an API?
Yes, you can access Password Generator and Password Strength Policies via both the Standard and Windows Integrated API. Simply navigate through to Help->Web API Documentation and select the Standard API Documentation or Windows Integrated API Documentation buttons for more details,
We hope this helps to explain the differences between the Generator and Strength Policies and how you use them. As always, we welcome your feedback via support@clickstudios.com.au.