Default Password composition policy in PAM

book

Article ID: 214302

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

If we don't specify the password composition policy and keep it to none. What will be the default password policy that PAM will use? Since the default Password Composition Policy in the PAM admin console is not displayed where can this policy be found or if there is some documentation as to how PAM is rotating the credentials with its composition by setting it to default/none.

Especially why do the generated passwords (Either using Scheduled Job or when a new credential generated using PAM) take into account the MAX password length and not with the MIN and MAX password length?

Cause

In the PCP the password length just imposes a framework within which you can create or use passwords. Meaning, you can specify yourself a password for changing, this password can be in the range of MIN and MAX password length specified in the Password Composition Policy (PCP). That is if you want to put in a password it can be between 7 and 16 chars, for instance, but if you ask PAM to do it for you, it will always go for the most secure situation, that is, it will use the maximum number of characters allowed in the PCP since that is the most secure choice

Environment

Release: 3.3.x, 3.4.x, and higher releases

Component: PRIVILEGED ACCESS MANAGEMENT

Resolution

The default Password Composition Policy (PCP), will be visible only when a new PCP is created, the default values/default PCP appears. A screenshot of the same is below for reference.


If a new password is to be deployed that is in the range of MIN and MAX password length, then the password needs to be manually keyed for the target accoount.

NOTE: The MIN password lenght defined in the native OS will be considered for the minimum password length value since a password of a length lesser than the native OS minimum password length will be rejected by the native OS.

Attachments

1620191205172__PCP.JPG get_app