Password policy objects are publicly readable, to allow applications to check whether passwords are compliant. This means that an unauthenticated user could query an Identity Vault and find out what password policies you have in place. If your password policies require users to create strong passwords, this should not pose a risk, as noted in “Create Strong Password Policies” in the Password Management Administration Guide.
Identity Manager Password Synchronization lets you simplify user passwords and reduce help desk costs. Bidirectional password synchronization lets you share passwords among eDirectory and connected systems in multiple ways, as described in the scenarios in Section 5.8, Implementing Password Synchronization.
Using Universal Password and password policies allows you to enforce strong password requirements for your users. Use the Advanced Password Rules in password policies to follow industry best practices for passwords.
For example, you can require user passwords to comply with rules such as the following:
Requiring unique passwords.
You can prevent users from reusing passwords, and control the number of passwords the system should store in the history list for comparison
Requiring a minimum number of characters in password.
Requiring longer passwords is one of the best ways to make passwords stronger.
Requiring a minimum number of numerals in password.
Requiring at least one numeric character in a password helps protect against “dictionary attacks,” in which intruders try to log in using words in the dictionary.
Excluding passwords of your choice.
You can exclude words that you consider to be security risks, such as the company name or location, or the words test or admin. Although the exclusion list is not meant to import an entire dictionary, the list of words you exclude can be quite long. Just keep in mind that a long list of exclusions makes login slower for your users. A better protection from dictionary attacks is probably to require numerals or special characters.
Keep in mind that you can create multiple password policies if you have different password requirements in different parts of the tree. You can assign a password policy to the whole tree, a partition root container, container, or even an individual user. (To simplify administration, we recommend you assign password policies as high up in the tree as possible.)
In addition, you can use intruder lockout. As always, this eDirectory feature lets you specify how many failed login attempts are allowed before an account is locked. This is a setting on the parent container instead of in the password policy. See “Managing User Accounts” in the Novell eDirectory 8.7.3 Administration Guide .