Template Password Requirements

Overview

A password requirement is a stored Secret Server object that defines the requirements on a password text-entry field to validate user-entered passwords or make auto-generated passwords conform to set specifications. You can have multiple password requirements, but only one can be set to the default.

A password requirement is made up of a minimum and maximum length, a set of characters, and optional rules such as "At least three upper-case characters" or "The first character must be lower-case". The default password requirement is 12 characters from the default character set with at least one upper-case, lower-case, numeric, and symbol character.

Creating a Custom Password Requirement

To create a new password requirement:

  1. Click the Settings drawer in the main menu. The All Settings page appears.

  2. Click the Secret Templates link in the Secrets Section. The Templates tab of the Secret Template page appears.

  3. Click the Password Requirements tab.

  4. Click the Create button. A popup appears.

  5. Type the name of the new password requirement in the Name text box.

  6. (Optional) Type a description of the new password requirement in the Description text box.

  7. Click the Minimum Password Length spinner to select or type a minimum allowed password length.

  8. Click the Character Set dropdown list to select a character set for the password. The out-of-the-box default is abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*().

  9. If you want the password requirement to become the new default, click to select the Is Default check box.

  10. Click to select the desired password no-no check boxes. The options are:

    • Prevent Username: Do not allow the username to be part of the password.
    • Prevent Spatial Pattern: Do not allow strings of characters based their order on the keyboard, such as qwerty or asdfg.
    • Prevent Sequential Pattern: Do not allow strings of characters based on their order in the character set, such as abcd or 5678. Note: As character sets are case sensitive, AbCd is allowed.
    • Prevent Dictionary Words: Do not allow everyday English words in the password.
  11. Click the Save button. The popup closes and the page for the new requirement appears (containing the choices you just made for the details and generation sections):

  12. Scroll down to the Password Validation section.

  13. Click the Edit button. The section expands.

  14. Most of the validation rules are ones you have already set with these two exceptions, which you can now set:

    • Prevent Dictionary Words: Do not allow everyday English words in the password.
    • Prevent Words from Dictionary …: Do not allow words that appear in the named dictionary. In our example, the dictionary is named "Test."
  15. Go to the Starting and Ending Character Validation section.

  16. Click the Edit button.

  17. To require specific starting characters, click to select the Require Specific Starting Characters check box. Two hidden controls appear. This allows you to make rules such as "password must start with three symbols and end with two lowercase letters."

    "Start and end with" rules can decrease the password entropy (resistance to brute force attacks).
  18. Type or click the spinner to set the number of required starting characters.

  19. Click the characters from dropdown list to select the character set to draw the characters from.

  20. Repeat the procedure for any desired ending characters.

  21. Click the Save button. An edit button now appears for the Character Count Validation section.

  22. To set character count validation rules:

    1. Click the Edit button for the Character Count Validation section. The section expands.

    2. Click the Add Rule button and select one of the following types:

      • Minimum Required Characters Rule: For the first rule type, type the number of characters and select what character set they must come from, for example, "Minimum 5 characters from Upper Case (A-Z)."

      • Maximum Consecutive Characters Rule: For the second rule, type the number of characters and select what character set they must come from, for example, "Maximum 5 characters from Lower Case (a-z)."

      • Repeating Characters Rule: Sets a limit on how many times any single character can appear in a password. You can set it anywhere between one and the maximum length of the password requirement. For example, the rule "At most 1 of the same character" means that any character can only appear one time in a password: Bztyopz is invalid because there are two z characters, and Bztyopx is valid because no character appears more than once

      • Repeating Consecutive Characters Rule: Sets a limit on how many times any single character can appear in a sequence in a password. You can set it anywhere between one and the maximum length of the password requirement. For example, "At most consecutively 2 of the same character" means any character can only appear one time in a password: Bzty1fxeee is invalid because there are three e characters at the end of the password. Bzty11fxe is valid because no character appears more than twice. Finally, Bzetey1efxe is valid, even though there are three e characters, because they do not appear next to each other.

    3. Once you create more than one rule, the Minimum Required Character Count Rules dropdown list appears. This allows you to set whether you want a minimum number of rules enforced from those you created or all of them.

    4. Create as many additional character count validation rules as you desire by clicking the Add Rule button and repeating the procedure.

    5. Click the Save button.

  23. Review the Password Rule Strength section to see how strong your choices are and any recommendations for improvement. The two tests are:

    • Entropy Score: The difficulty of cracking the password in a brute-force attack.
    • Total Strength Score: An overall weighted measure of password strength for passwords generated by the password requirements. Any rule conflicts will appear in the recommendations section.
The explicit character rules cannot conflict with the implicit ones you created earlier or you will get an error when saving. For that reason, we suggest leaving the password requirements character set to the default. Carefully consider any other conflicts if you get an error.
To set a custom password requirement for a specific secret, use the "Customize Password Requirement" in the Security tab of a secret.
You can enable or disable the validation of manually entered passwords at the secret template level via the "Validate Password Requirements on Create" and "Validate Password Requirements on Edit" settings.
The "What Secrets Do Not Meet Password Requirements" report shows secrets containing a password that does not meet the password requirements set for its secret template.
Password requirements cannot include rules with overlapping character sets. For example, if an attempt is made to add both a "Minimum of 1 upper-case" rule and a "Minimum of 3 Default" rule to a new password requirement, an error displays.

Assigning Requirements to a Secret Template

To assign requirements to a secret template: 

  1. Navigate to Secret Templates.

  2. Select the template you wish to edit.

  3. Navigate to the Fields tab.

  4. Select the Password field.

  5. Select Edit for the Template Field Details section.

  6. For Password Requirement, select your desired requirement.