Syntax rules for PINs

In policies of the type PIN, you define settings for token PINs. These settings do not apply to PINs used for logon at BitLocker encrypted endpoints. For more information on BitLocker PINs see PIN and passwords.

PINs can contain numbers, letters and special characters (for example + - ; etc.). However, when issuing a new PIN, do not use any character with the combination ALT + < character > as this input mode is not available at SafeGuard Power-on Authentication.

Note: Define PIN rules either in the SafeGuard Management Center or in the Active Directory, not both.
Policy Setting Explanation
Min. PIN length Specifies the number of characters a PIN must comprise when changed by the user. The required value can be entered directly or increased/reduced using the arrow buttons.
Max. PIN length Specifies the maximum number of characters a PIN may comprise when changed by a user. The required value can be entered directly or increased/reduced using the arrow buttons.
Min. number of letters

Min. number of digits

Min. number of special characters
These settings specify that a PIN must not consist exclusively of letters, numbers or special characters, but of a combination of at least two (for example 15flower). These settings only make sense if a minimum PIN length of greater than 2 has been defined.
Keyboard row forbidden Refers to keys arranged consecutively in rows on the keyboard such as "123" or "qwe". A maximum of two adjacent characters on the keyboard is allowed. Consecutive key sequences relate only to the alphanumerical keyboard area.
Keyboard column forbidden Refers to keys arranged consecutively in columns on the keyboard such as "xsw2" or "3edc" (but not "xdr5" or "cft6"!). A maximum of two adjacent symbols in a single keyboard column is permitted. If you disallow keyboard columns, combinations like these are rejected as PINs. Consecutive key sequences relate only to the alphanumerical keyboard area.
Three or more consecutive characters forbidden The activation of this option disallows key sequences
  • which are consecutive series of ASCII code symbols in both ascending and descending order ("abc" or "cba").

  • which consist of three or more identical characters ("aaa" or "111").

User name as PIN forbidden Determines whether user name and PIN may be identical.

Yes: Windows user name and PIN must be different.

No: Users may use their Windows user names as PINs.

Use forbidden PIN list Determines whether certain character sequences must not be used for PINs. The character sequences are stored in the List of forbidden PINs (for example .txt file).
List of forbidden PINs Defines character sequences which must not be used for PINs. If a user uses a forbidden PIN, an error message will be displayed.


A list (file) of forbidden PINs must be registered in the Management Center in the policies navigation area under Texts, see Create forbidden PIN lists for use in policies. The list is only available after registration.

  • Maximum file size: 50 KB

  • Supported format: Unicode

Defining forbidden PINs

In the list, forbidden PINs are separated by a line break.

Wildcard: Wildcard character "*" can represent any character and any number of characters in a PIN. Therefore *123* means that any series of characters containing 123 will be disallowed as a PIN.


  • If the list contains only a wildcard, the user will no longer be able to log on to the system after a forced password change.

  • Users must not be permitted to access the file.

  • Option Use forbidden PIN list must be activated.

Case sensitive This setting is only effective with Use forbidden PIN list and User name as PIN forbidden.

Example 1: You have entered "board" in the list of forbidden PINs. If the Case sensitive option is set to Yes, additional PIN variants such as BOARD, BoaRD will not be accepted and logon will be denied.

Example 2: "EMaier" is entered as a user name. If the Case sensitive option is set to Yes and the User name as PIN forbidden option is set to No, user EMaier cannot use any variant of this user name (for example "emaier" or "eMaiER") as a PIN.

PIN change after min. (days) Determines the period during which a PIN must not be changed. This setting prevents the user from changing a PIN too many times within a specific period.


User Miller defines a new PIN (for example "13jk56"). The minimum change interval for this user (or group to which this user is assigned) is set to five days. After two days the user wants to change the PIN to "13jk56". The PIN change is rejected because Mr. Miller may only define a new PIN after five days have passed.

PIN change after max. (days) The user has to define a new PIN after the set period has expired. If the period is set to 999 days, no PIN change is required.
Notify of forced change before (days) A warning message is displayed "n" days before PIN expiry reminding the user to change their PIN in "n" days. Alternatively, the user may change the PIN immediately.
Hide PIN in POA Specifies whether the digits entered are hidden when entering PINs. If enabled, nothing is shown when PINs are entered in the POA. Otherwise, PINs are shown masked with asterisks.
PIN history length Determines when previously used PINs can be reused. It makes sense to define the history length in conjunction with the PIN change after max. (days) setting.


The PIN history length for user Miller is set to 4, and the number of days after which the user must change their PIN is 30. Mr. Miller is currently logging on using the PIN "Informatics". After the 30 day period expires, he is asked to change his PIN. Mr. Miller types in "Informatics" as the new PIN and receives an error message that this PIN has already been used and he needs to select a new PIN. Mr. Miller cannot use the PIN "Informatics" until after the fourth request to change the PIN (in other words PIN history length = 4).