To enhance authentication security the Application Server can enforce rules on the quality of user passwords when using local authentication. The quality of a password expresses how hard it is to guess the password or determine the password with brute force attacks. These rules are checked whenever the password for a user is changed.
Password security rules can be configured in the global settings. Table 1 lists the settings that define the password quality rules enforced by the system.
Although we do not recommend to allow empty passwords, you can allow empty passwords by setting Password quality: Minimum length to zero and disabling the rules Password quality: Must include digits, <%GS_PASSWORDRULECHECKFORLOWERCASEUPPERCASE%> and Password quality: Must include special character.
Rule |
Description |
Password quality: Minimum length |
Defines the minimum length (number of characters) a password must have. We do not recommend to use values lower than 8 for this setting. Default: 8 |
Password quality: Must include digits |
If enabled, passwords must contain at least one digit [0-9] Default: Enabled |
Password quality: Must include lower and upper-case letters |
If enabled passwords must contain at least one letter out of the range [a-z] and one letter out of the range [A-Z] Default: Enabled |
Password quality: Must include special character |
If enabled passwords must contain at least one the following characters !,§,@,#,$,%,^,&,*,?,_,~,-,£,(,) Default: Enabled |
Password quality: Must not contain username |
If enabled, passwords are not allowed to contain the username. This rule is checked case insensitive. Default: Enabled |
Password quality: Must not contain name |
If enabled, passwords are not allowed to contain the user's first, middle or last names. This rule is checked case insensitive. Default: Enabled |
Table 1: The global settings defining the password quality rules enforced by the Application Server
