Setting Advanced Criteria

In addition to the restraints under Password Policy Rules, you can set advanced criteria.

1. From the list of platforms on the Login Details screen, select the password policy script (platform) that you wish to edit > click Modify.

   You can also double-click the platform.

2. Enter the commands into the password policy script.

   Advanced Command	Description
   NODUPLICATECHARACTERS "caseinsensitive"	Means that a character will not appear more than once in a password.
   NOREPEATINGCHARACTERS "caseinsensitive"	Means that a character will not be the same as the preceding character.
   NOSEQUENTIALCHARACTERS "caseinsensitive"	Means that a character will not be one character above or below the preceding character.
   POSITIONCHARACTER characterset positions	Means that a character from the specified character set must exist in at least one of the specified positions. The characterset may be uppercase, lowercase, punctuation, or numeral. This parameter must have a character position listed by number. If multiple positions exist, they must be separated by commas.

   The following is an example of the POSITIONCHARACTER command:

   POSITIONCHARACTER NUMERAL 3,4,5

   This command ensures that a numeral exists in a password in at least one of positions 3, 4 or 5. The password b{0vf4 would pass this test because the numeral 0 exists in position 3.

   You are able to have multiple instances of this command in a password policy. If you wanted to ensure that a password had a numeral in positions 3, 4 and 5, you would need to have the following three commands:

   POSITIONCHARACTER NUMERAL 3
POSITIONCHARACTER NUMERAL 4
POSITIONCHARACTER NUMERAL 5

   You must add these four advanced commands manually by editing the script. When doing so, you will see the other commands which can be edited by using the normal password policy screen. It is recommended that you edit these values using the normal edit screen.

Using a Password Policy Script

You can restrict a variable to a particular password policy script.

1. Select the script that contains the variable you want to restrict.

2. Add the following line at the top of the script:

   RESTRICTVARIABLE variable_name password_policy

To restrict multiple variables, you just need to add multiple RestrictVariable commands.

The variable_name parameter can be a normal variable (for example, $Password) or a runtime variable (for example, ?temp). This flexibility can be useful if you change a password by using a runtime variable and then set a normal variable to the value of the runtime variable.

Adding the RestrictVariable command is all you need to do to ensure that a variable will comply with the policy. The value entered will be rejected if it does not comply with the policy set for that variable, regardless of whether the variable is being added or changed through SecureLogin or through a script that is running.

If the value being changed by a user is not accepted, a message informs the user as to why the value wasn't permitted. If the value is being set through the ChangePassword command being run in automatic (random) mode, the value generated will comply with the policy.

In some cases, a policy may be created where no acceptable values exist. When this occurs, an error will be displayed when the ChangePassword command tries to generate a password.

For more information on the RestrictVariable command, see Script Reference Guide.

Values will not be forced to comply with password policies if you use the SecureLogin SET command to set them.

Example Password Policy Scripts

Example 1

MAXPASSWORDLENGTH 8
MINPASSWORDLENGTH 8
MAXPUNCTUATION 0
MINPUNCTUATION 0
MAXUPPERCASE 8
MINUPPERCASE 0
MAXLOWERCASE 8
MINLOWERCASE 0
MAXNUMERALS 8
MINNUMERALS 0

This password policy indicates that the password must be exactly 8 characters long and contain no punctuation characters.

The password asdf4jB8 is acceptable.

The password aasdf5$n is unacceptable because it contains a punctuation character.

Example 2

MAXPASSWORDLENGTH 16
MINPASSWORDLENGTH 6
MAXPUNCTUATION 8
MINPUNCTUATION 0
MAXUPPERCASE 16
MINUPPERCASE 1
MAXLOWERCASE 16
MINLOWERCASE 0
MAXNUMERALS 16
MINNUMERALS 0
BEGINWITHUPPERCASE
DISALLOWEDCHARACTERS @&

This password policy indicates that the password must be between 6 and 16 characters long. It must contain at least one uppercase character. It can contain no more than 8 punctuation characters. It must begin with an uppercase character, and it may not contain either the @ character or the & character.

The password R48iv"? is acceptable.

The password R48?- is unacceptable because it is less that 6 characters long.

Example 3

MAXPASSWORDLENGTH 12
MINPASSWORDLENGTH 6
MAXPUNCTUATION 8
MINPUNCTUATION 0
MAXUPPERCASE 8
MINUPPERCASE 0
MAXLOWERCASE 8
MINLOWERCASE 0
MAXNUMERALS 8
MINNUMERALS 0
NODUPLICATECHARACTERS CASEINSENSITIVE
POSITIONCHARACTER NUMERAL 3,4,5

This password policy indicates that the password must be between 6 and 12 characters long. It can contain no more than 8 of any character type (uppercase, lowercase, numeral, or punctuation). No character may appear more than once in the paragraph, regardless of case. A numeral must appear in at least one of positions 3, 4, or 5.

The password f54v9)_Q is acceptable.

The password f5v)_QF7 is unacceptable because it has no numeral in positions 3, 4 or 5, and the letter F occurs in positions 1 and 7.