7.4 Creating Strong Password Policies

Password policy objects are publicly readable, to allow applications to check whether passwords are compliant. This means that an unauthenticated user could query an Identity Vault and find out what password policies you have in place. If your password policies require users to create strong passwords, this should not pose a risk, as noted in “Create Strong Password Policies” in the Password Management Administration Guide.

Identity Manager Password Synchronization lets you simplify user passwords and reduce help desk costs. Bidirectional password synchronization lets you share passwords among eDirectory and connected systems in multiple ways, as described in the scenarios in Section 5.8, Implementing Password Synchronization.

Using Universal Password and password policies allows you to enforce strong password requirements for your users. Use the Advanced Password Rules in password policies to follow industry best practices for passwords.

For example, you can require user passwords to comply with rules such as the following:

Keep in mind that you can create multiple password policies if you have different password requirements in different parts of the tree. You can assign a password policy to the whole tree, a partition root container, container, or even an individual user. (To simplify administration, we recommend you assign password policies as high up in the tree as possible.)

In addition, you can use intruder lockout. As always, this eDirectory feature lets you specify how many failed login attempts are allowed before an account is locked. This is a setting on the parent container instead of in the password policy. See “Managing User Accounts” in the Novell eDirectory 8.7.3 Administration Guide .