Policy Server dictionary password policy in Authentication process
search cancel

Policy Server dictionary password policy in Authentication process


Article ID: 218019


Updated On:





When running a Policy Server, having a Password Policy with a specific
dictionary, then when user logs in with a password matching the
dictionary, the user authentication gets accepted. The Policy Server
doesn't check the dictionary file and one might want to know if this
behavior is expected.




Policy Server all versions




As per design, the Policy Server doesn't check the password
composition when authenticating. One reason is that in order for a
user to change its password, you need the user to be able to login
with its current password. If you block the usage of the current
password because it matches the dictionary password, then only the
Administrator will be able to change the User password.

More, as per documentation, Policy Server evaluates the status of the
password at login, not the composition of it (1).

The dictionary is used when password changes (2).


Additional Information



    Password Policies

      SiteMinder invokes a password policy when a user attempts to access a
      protected resource and evaluates the credentials of the user. If the
      policy determines that the password is expired, SiteMinder can:

 Disable the user account to prevent unauthorized access. If disabled, a SiteMinder administrator must re–activate the account.
 Force the user to change the password.



    How to Configure Password Policies

      (Optional) Configure Password Restrictions

 Optionally, configure password restrictions to place restrictions on
 password usage. Restrictions include:

 How long a user must wait before reusing a password
 How different the password must be from ones that were previously used

      You can also prevent users from specifying words that you determine
      are a security risk or contain personal information.