Default Password composition policy in PAM
Article ID: 214302
Updated On:
Products
Issue/Introduction
If we don't specify the password composition policy and keep it to none. What will be the default password policy that PAM will use? Since the default Password Composition Policy in the PAM admin console is not displayed where can this policy be found or if there is some documentation as to how PAM is rotating the credentials with its composition by setting it to default/none.
Especially why do the generated passwords (Either using Scheduled Job or when a new credential generated using PAM) take into account the MAX password length and not with the MIN and MAX password length?
Cause
In the PCP the password length just imposes a framework within which you can create or use passwords. Meaning, you can specify yourself a password for changing, this password can be in the range of MIN and MAX password length specified in the Password Composition Policy (PCP). That is if you want to put in a password it can be between 7 and 16 chars, for instance, but if you ask PAM to do it for you, it will always go for the most secure situation, that is, it will use the maximum number of characters allowed in the PCP since that is the most secure choice
Environment
Release: 3.3.x, 3.4.x, and higher releases
Component: PRIVILEGED ACCESS MANAGEMENT
Resolution
The default Password Composition Policy (PCP), will be visible only when a new PCP is created, the default values/default PCP appears. A screenshot of the same is below for reference.
If a new password is to be deployed that is in the range of MIN and MAX password length, then the password needs to be manually keyed for the target accoount.
NOTE: The MIN password lenght defined in the native OS will be considered for the minimum password length value since a password of a length lesser than the native OS minimum password length will be rejected by the native OS.
Attachments
Feedback
