Frequently an organization will want to prohibit the use of certain commonly used words in passwords.  These will typically include passwords like (qwerty, password, Password, <company name>, 123456, abcdef, etc).  Siteminder Password Services already allows you to restrict passwords, such as:

Minimum Length
Specifies the minimum length for user passwords.

Maximum Length
Specifies the maximum length for user passwords.

Repeating Characters (Maximum)
Specifies the maximum number repeating characters that can appear in passwords.  If set to "3" would this would prevent repeating patterns such as "1111" or "aaaa"

Minimum number of days before reuse
Specifies how many days a user must wait before reusing a password.

Minimum number of passwords before reuse
Specifies how many passwords must be used before a password can be reused.

Percent different from last password
Specifies the percentage of characters a new password must contain that differ from characters in the previous password.

Ignore sequence when checking for differences
Ignores the position of the characters in the password when determining the percentage.

Match Length
Specifies the minimum sequence length the password policy compares to attributes in the user’s directory entry.

Example: if this value is set to 4, the Policy Server checks to see that the password is not composed of the last four digits of the user’s telephone number, or name.

In a Siteminder Password Policy, you can also configure a Password Dictionary.  This is a text file stored locally on the policy server containing a list of all the words which are prohibited from being used in a password.

PRODUCT: Siteminder

COMPONENT: Policy Server 

FEATURE: Password Services

VERSION: Any

OPERATING SYSTEM: Any

A Password Blacklist can be implemented in Siteminder using Basic Password Services.

1) Configure the User Directory to use Password Services

a) Logon to the Siteminder AdminUI
b) Edit the User Directory [Tasks -> Infrastructure -> Directory -> User Directories]
c) Populate the following attributes mappings with the names of the corresponding attributes on the user object in the user directory:

Universal ID (R): 
Disabled Flag (RW):
Password (RW): 
Password Data (RW):

2) Create and Configure a Password Policy 

a) Logon to the Siteminder AdminUI
b) Edit the User Directory [Tasks -> Policies -> Password -> Password Policies]
c) Create a new Password Policy
d) Populate the following attributes within the Password Policy:

[GENERAL TAB]

Name: 
Directory:
Password Policy applies to the whole directory: {0|1}
Password Policy applies to part of the directory: {0:1}
--> Path: (Optional; only applies of PW Policy applies to PART of the directory)
--> Class: (Optional; only applies of PW Policy applies to PART of the directory)

Redirection URL: <Path to 'smpwservices.fcc'>

[EXPIRATION TAB]

Expiration Tracking: (Optional)
Password Expires if not Changed:  (Optional)
Incorrect Password: (OPtional)
Password Expires From Inactivity: (Optional

[COMPOSITIONS TAB]

Password Length: (OPtional)
repeating Characters: (Optional)
Content Allow:  [Upper | Lower| Digits | Punctuation | NonPrintable | Non-Alphanumeric] 
Content Minimum: (Optional)

[RESTRICTIONS TAB]

Reuse

Reuse Min. Days: (Optional)
Reuse Min. Number: (Optional)

Change Required

% of Difference: (Optional)
Sequence Checking: (Optional)

Profile Attribute

Match Length (Optional)

Dictionary

Dictionary Path: 

Match Length (Optional)

3) Configure the Password Dictionary

a) Create a text file with all the passwords you want to block

example: BlockedPassword.txt

password
123456789
abcdefghij
broadcom
siteminder
firewall

b) Save the file on the Policy Server

<Install_Dir>\CA\siteminder\pws\BlockedPassword.txt

c) Define the path and file name of in the "Path" field in the Dictionary section of the Restrictions tab in the Password Policy.

d) Dictionary: Match is a numeric value. The value will block any password in the password dictionary that matches in length.  

If Dictionary: Match Length = 4, then any four characters will be blocked.  In the example we have "123456789".  A match length of "4" would block the following password combinations:

1234
2345
3456
4567
5678
6789

Users will now be prevented from using those passwords when they change their password through Siteminder Password Services.

Invalid Password Dictionary