Password expiry date (Password View Policy and Password Combination Policy)

book

Article ID: 140483

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

One of the main features of PAM is password management.

There are two types of Password policues - Password View Policy (PVP) and Password Compbination Policy (PCP).

PVP is applied directly on the target account.

It triggers a password change 'n' minutes after the password has been viewed.

Is there a possibility to use both?

 

Cause

In many organizations using PAM, the PVP is configured, thus when a password has been viewed, it is changed and cannot be re-used.

However, what happens when a password is seldom viewed ? Leaving the password as it is, is considered less secure and a periodical changing of the password is required.

How do we configure this?

Environment

Release : 3.1.1 and up

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The PVP is applied directly on the target account itself.

The PCP is configured to align the password generation with the requirements of the target device. So a newly created password does not break the requirements of the target device.

It also has the field of 'Maximum password age days'. This option defines the expiry date of the password.

If the password was not changed in that period of time, it will be changed automatically.

If a password was changed by the PVP policy, the count resets.

When clicking on the Target account and then clicking on the password tab, you can see the number of days left for new password creation.