When running a Policy Server, having a Password Policy with a specific
dictionary, then when user logs in with a password matching the
dictionary, the user authentication gets accepted. The Policy Server
doesn't check the dictionary file and one might want to know if this
behavior is expected.
Policy Server all versions
As per design, the Policy Server doesn't check the password
composition when authenticating. One reason is that in order for a
user to change its password, you need the user to be able to login
with its current password. If you block the usage of the current
password because it matches the dictionary password, then only the
Administrator will be able to change the User password.
More, as per documentation, Policy Server evaluates the status of the
password at login, not the composition of it (1).
The dictionary is used when password changes (2).
SiteMinder invokes a password policy when a user attempts to access a
protected resource and evaluates the credentials of the user. If the
policy determines that the password is expired, SiteMinder can:
Disable the user account to prevent unauthorized access. If disabled, a SiteMinder administrator must re–activate the account.
Force the user to change the password.
How to Configure Password Policies
(Optional) Configure Password Restrictions
Optionally, configure password restrictions to place restrictions on
password usage. Restrictions include:
How long a user must wait before reusing a password
How different the password must be from ones that were previously used
You can also prevent users from specifying words that you determine
are a security risk or contain personal information.