Policy Server dictionary password policy in Authentication process
search cancel

Policy Server dictionary password policy in Authentication process

book

Article ID: 218019

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running a Policy Server, having a Password Policy with a specific
dictionary, then when user logs in with a password matching the
dictionary, the user authentication gets accepted. The Policy Server
doesn't check the dictionary file and one might want to know if this
behavior is expected.

 

Environment

 

Policy Server all versions

 

Resolution

 

As per design, the Policy Server doesn't check the password
composition when authenticating. One reason is that in order for a
user to change its password, you need the user to be able to login
with its current password. If you block the usage of the current
password because it matches the dictionary password, then only the
Administrator will be able to change the User password.

More, as per documentation, Policy Server evaluates the status of the
password at login, not the composition of it (1).

The dictionary is used when password changes (2).

 

Additional Information

 

(1)

    Password Policies

      SiteMinder invokes a password policy when a user attempts to access a
      protected resource and evaluates the credentials of the user. If the
      policy determines that the password is expired, SiteMinder can:

      Disable the user account to prevent unauthorized access. If disabled, a SiteMinder administrator must re–activate the account.
      Force the user to change the password.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/password-services-and-policies.html

(2)

    How to Configure Password Policies

      (Optional) Configure Password Restrictions

      Optionally, configure password restrictions to place restrictions on
      password usage. Restrictions include:

      How long a user must wait before reusing a password
      How different the password must be from ones that were previously used

      You can also prevent users from specifying words that you determine
      are a security risk or contain personal information.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html

 

Powered by Wolken Software