|Policy types and their fields of applications|
In policies of type Password, you define rules for passwords used to log on to the system. These settings do not apply to passwords used for logon at BitLocker encrypted endpoints. For more information on BitLocker passwords see PIN and passwords.
Passwords can contain numbers, letters and special characters (for example + - ; etc.). However, when issuing a new password, do not use any character with the combination ALT + <character> as this input mode is not available at SafeGuard Power-on Authentication. Rules for passwords used to log on to the system are defined in policies of the type Password.
The enforcement of password rules and password history can only be guaranteed if the SGN credential provider is used consistently. Define password rules either in the SafeGuard Management Center or in the Active Directory, not both.
|Min. password length||Specifies the number of characters a password must comprise when changed by the user. The required value can be entered directly or increased/reduced using the arrow buttons.|
|Max. password length||Specifies the maximum number of characters a password may comprise when changed by a user. The required value can be entered directly or increased/reduced using the arrow buttons.|
|Min. number of
Min. number of digits
Min. number of special characters
|These settings specify that a password must not consist exclusively of letters, numbers or special characters, but of a combination of at least two (for example 15flower). These settings only make sense if a minimum password length of greater than 2 has been defined.|
|Keyboard row forbidden||Refers to keys arranged consecutively in rows on the keyboard such as "123" or "qwe". A maximum of two adjacent characters on the keyboard is allowed. Consecutive key sequences relate only to the alphanumerical keyboard area.|
|Keyboard column forbidden||Refers to keys arranged consecutively in columns on the keyboard such as "xsw2" or "3edc" (but not "xdr5" or "cft6"!). A maximum of two adjacent symbols in a single keyboard column is permitted. If you disallow keyboard columns, combinations like these are rejected as passwords. Consecutive key sequences relate only to the alphanumerical keyboard area.|
|Three or more consecutive characters forbidden||The activation of this option disallows key sequences
|User name as password forbidden||Determines whether user name must not be used as a
Yes: Windows user name and password must be different.
No: Users may use their Windows user names as passwords.
|Use forbidden password list||Determines whether certain character sequences must not be used for passwords. The character sequences are stored in the List of forbidden passwords (for example .txt file).|
|List of forbidden passwords||Defines character sequences which must not be used
for passwords. If a user uses a forbidden password, an error message
will be displayed.
A list (file) of forbidden passwords must be registered in the SafeGuard Management Center in the policies navigation area under Texts, see Create forbidden password list for use in policies. The list is only available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden passwords
In the list, forbidden passwords are separated by a line break. Wildcard: The wildcard character "*" can represent any character and any number of characters in a password. Therefore *123* means that any series of characters containing 123 will be disallowed as a password.
|Case sensitive||This setting is only effective with Use forbidden
password list and User name as password
Example 1: You have entered "board" in the list of forbidden passwords. If the Case sensitive option is set to Yes, additional password variants such as BOARD, BoaRD will not be accepted and logon will be denied.
Example 2: "EMaier" is entered as a user name. If the Case sensitive option is set to Yes and the User name as password forbidden option is set to No, user EMaier cannot use any variant of this user name (for example "emaier" or "eMaiER") as a password.
|Password change allowed after min. (days)||Determines the period during which a password may not
be changed. This setting prevents the user from changing a password
too many times within a specific period. If the user is forced to
change their password by Windows or if the user changes their
password after a warning message has been displayed stating that the
password will expire in x days, this setting will not be
User Miller defines a new password (for example "13jk56"). The minimum change interval for this user (or group to which this user is assigned) is set to five days. After two days the user wants to change the password to "13jk56".The password change is rejected because user Miller may only define a new password after five days have passed.
|Password expires after (days)||If you set this option, the user has to define a new password after the set period has expired.|
|Notify of forced change before (days)||A warning message is displayed "n" days before password expiry reminding the user to change their password in "n" days. Alternatively, the user may change the password immediately.|
|Hide password in POA||Specifies whether the characters entered are hidden when entering passwords. If enabled, nothing is shown when passwords are entered in the POA. Otherwise, passwords are shown masked with asterisks.|
|Password history length||Determines when previously used passwords can be
reused. It makes sense to define the history length in conjunction
with the Password expires after (days)
The password history length for user Miller is set to 4, and the number of days after which the user must change their password is 30. Mr. Miller is currently logging on using the password "Informatics". After the 30 day period expires, he is asked to change his password. Mr. Miller types in "Informatics" as the new password and receives an error message that this password has already been used and he needs to select a new password. Mr. Miller cannot use the password "Informatics" until after the fourth request to change the password (in other words password history length = 4).
Note: If you set the password history length to 0, the user can set the old password as the new password. This is not good practice and should be avoided.
|User password synchronization to other SGN Clients||
This field determines the procedure of synchronizing passwords when users, who work on several SafeGuard Enterprise endpoints and are defined as users on these endpoints, change their passwords. The following options are available: