Syntax rules for passwords

In policies of type Password, you define rules for passwords used to log on to the system. These settings do not apply to passwords used for logon at BitLocker encrypted endpoints. For more information on BitLocker passwords see PIN and passwords.

Passwords can contain numbers, letters and special characters (for example + - ; etc.). However, when issuing a new password, do not use any character with the combination ALT + <character> as this input mode is not available at SafeGuard Power-on Authentication. Rules for passwords used to log on to the system are defined in policies of the type Password.

Note: To enforce a strong password policy, see Security recommendations as well as the SafeGuard Enterprise manual for certification-compliant operation.

The enforcement of password rules and password history can only be guaranteed if the SGN credential provider is used consistently. Define password rules either in the SafeGuard Management Center or in the Active Directory, not both.

Policy setting Explanation
Password
Min. password length Specifies the number of characters a password must comprise when changed by the user. The required value can be entered directly or increased/reduced using the arrow buttons.
Max. password length Specifies the maximum number of characters a password may comprise when changed by a user. The required value can be entered directly or increased/reduced using the arrow buttons.
Min. number of letters

Min. number of digits

Min. number of special characters

These settings specify that a password must not consist exclusively of letters, numbers or special characters, but of a combination of at least two (for example 15flower). These settings only make sense if a minimum password length of greater than 2 has been defined.
Keyboard row forbidden Refers to keys arranged consecutively in rows on the keyboard such as "123" or "qwe". A maximum of two adjacent characters on the keyboard is allowed. Consecutive key sequences relate only to the alphanumerical keyboard area.
Keyboard column forbidden Refers to keys arranged consecutively in columns on the keyboard such as "xsw2" or "3edc" (but not "xdr5" or "cft6"!). A maximum of two adjacent symbols in a single keyboard column is permitted. If you disallow keyboard columns, combinations like these are rejected as passwords. Consecutive key sequences relate only to the alphanumerical keyboard area.
Three or more consecutive characters forbidden The activation of this option disallows key sequences
  • which are consecutive series of ASCII code symbols in both ascending and descending order ("abc" or "cba").

  • which consist of three or more identical characters ("aaa" or "111").

User name as password forbidden Determines whether user name must not be used as a password.

Yes: Windows user name and password must be different.

No: Users may use their Windows user names as passwords.

Use forbidden password list Determines whether certain character sequences must not be used for passwords. The character sequences are stored in the List of forbidden passwords (for example .txt file).
List of forbidden passwords Defines character sequences which must not be used for passwords. If a user uses a forbidden password, an error message will be displayed.

A list (file) of forbidden passwords must be registered in the SafeGuard Management Center in the policies navigation area under Texts, see Create forbidden password list for use in policies. The list is only available after registration.

Maximum file size: 50 KB

Supported format: Unicode

Defining forbidden passwords

In the list, forbidden passwords are separated by a line break. Wildcard: The wildcard character "*" can represent any character and any number of characters in a password. Therefore *123* means that any series of characters containing 123 will be disallowed as a password.

Note:

  • If the list contains only a wildcard, the user will no longer be able to log on to the system after a forced password change.

  • Users must not be permitted to access the file.

  • Option Use forbidden password list must be activated.

Case sensitive This setting is only effective with Use forbidden password list and User name as password forbidden.

Example 1: You have entered "board" in the list of forbidden passwords. If the Case sensitive option is set to Yes, additional password variants such as BOARD, BoaRD will not be accepted and logon will be denied.

Example 2: "EMaier" is entered as a user name. If the Case sensitive option is set to Yes and the User name as password forbidden option is set to No, user EMaier cannot use any variant of this user name (for example "emaier" or "eMaiER") as a password.

Changes
Password change allowed after min. (days) Determines the period during which a password may not be changed. This setting prevents the user from changing a password too many times within a specific period. If the user is forced to change their password by Windows or if the user changes their password after a warning message has been displayed stating that the password will expire in x days, this setting will not be evaluated!

Example:

User Miller defines a new password (for example "13jk56"). The minimum change interval for this user (or group to which this user is assigned) is set to five days. After two days the user wants to change the password to "13jk56".The password change is rejected because user Miller may only define a new password after five days have passed.

Password expires after (days) If you set this option, the user has to define a new password after the set period has expired.
Notify of forced change before (days) A warning message is displayed "n" days before password expiry reminding the user to change their password in "n" days. Alternatively, the user may change the password immediately.
General
Hide password in POA Specifies whether the characters entered are hidden when entering passwords. If enabled, nothing is shown when passwords are entered in the POA. Otherwise, passwords are shown masked with asterisks.
Password history length Determines when previously used passwords can be reused. It makes sense to define the history length in conjunction with the Password expires after (days) setting.

Example:

The password history length for user Miller is set to 4, and the number of days after which the user must change their password is 30. Mr. Miller is currently logging on using the password "Informatics". After the 30 day period expires, he is asked to change his password. Mr. Miller types in "Informatics" as the new password and receives an error message that this password has already been used and he needs to select a new password. Mr. Miller cannot use the password "Informatics" until after the fourth request to change the password (in other words password history length = 4).

Note: If you set the password history length to 0, the user can set the old password as the new password. This is not good practice and should be avoided.
User password synchronization to other SGN Clients
This field determines the procedure of synchronizing passwords when users, who work on several SafeGuard Enterprise endpoints and are defined as users on these endpoints, change their passwords. The following options are available:
  • Slow (wait for user to log on)

    If a user changes their password on a SafeGuard Enterprise endpoint and intends to log on to another endpoint on which the user is also registered, they have to log on using their old password at the SafeGuard Power-on Authentication first. Password synchronization will only be performed after logging on using the old password first.

  • Fast (wait for machine to connect)

    If a user changes their password on a SafeGuard Enterprise endpoint, password synchronization with other endpoints, on which the user is also registered, will be performed as soon as the other endpoint has established a connection to the server. This is for example the case, when another user, who is also registered as a user on the endpoint, logs on to the endpoint in the meantime.