Password Policy

A password policy defines users’ password length, format, and frequency of change. You assign password policies to security domains. The policy applies to all users who are assigned to that security domain. Note that user password policies do not apply to Operations Console administrators.

All RSA Authentication Manager users must have a password as part of their user record. If you use the Authentication Manager internal database as your identity source, the password is stored in the internal database.

If you use an LDAP directory as your identity source, the password field in the Authentication Manager user record may be mapped to the LDAP directory password. This password may be used to log on to other applications or resources within your organization. If policy permits, administrators may also use an LDAP-mapped password to log on to the Security Console.

Password characteristics are controlled by password policies.

Authentication Manager password policies only apply to users in the internal database. When users are stored in an LDAP directory, the directory password policy applies.

When you set up Authentication Manager, a default password policy is automatically created. You can edit this policy, or create a custom password policy and designate it as the default.

One password policy is always designated as the default policy. When you create new security domains, Authentication Manager automatically assigns the default password policy to the new security domains. You can use the default password policy or assign a custom policy to each security domain.

Password policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy are still assigned the default password policy.

Enabling system-generated passwords requires users to use passwords generated by Authentication Manager according to the password policy applied to the users’ security domain. Enabling this option ensures that users’ passwords are random and therefore less likely to be guessed by an unauthorized person attempting to access your network. When users are initially assigned their password, or when their passwords expire, they are prompted to choose from a list of system-generated passwords when they attempt to use their password.

You need to balance security needs with consideration of what is reasonable to expect from users. Requiring a long password may be counter productive and hard to remember, locking more users out of the network and generating calls to the Help Desk.

Add a Password Policy

In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. To make changes take effect sooner on the replica instance, see Flush the Cache.


  1. In the Security Console, click Authentication > Policies > Password Policies > Add New.

  2. Under Password Policy Basics, do the following:

    1. In the Password Policy Name field, enter a unique name for the new password policy. Do not exceed 128 characters.

    2. (Optional) To require users to use only system-generated passwords, select Require users to use system-generated passwords.

    3. (Optional) To designate this policy as the default policy, select Set as the default password policy. When this option is selected, new security domains use this password policy.

  3. Under Lifetime, do one of the following:

    1. Clear the default setting Require periodic password changes, and go to step c.

    2. Leave the default setting Require periodic password changes selected, and specify the following options:

      • For Maximum Lifetime, specify how long a password can be used.

      • For Minimum Lifetime, specify how long users must wait before changing a password. Specifying a minimum lifetime prevents users from bypassing re-use restrictions by immediately changing their passwords.

    3. To prevent users from using a password they have used previously, select Restrict Re-use. You can specify the number of previous passwords that cannot be used or prevent any previous passwords from being used again.

  4. Under Format, do the following:

    1. In the Minimum Length field, enter the minimum number of characters required in a password. The default is 8.

    2. In the Maximum Length field, enter the maximum number of characters allowed in a password. The default is 32.

    3. (Optional) In the Excluded Characters field, enter any characters that you do not want to allow users to include in passwords. You can specify up to 50 excluded characters.

    4. From the Excluded Words Dictionary drop-down list, select which excluded words dictionary that you want to use. This dictionary contains a list of prohibited passwords.

    5. (Optional) In the Character Requirements fields, enter the minimum number of each character type required for a valid password.

  5. Click Save.

Manage a Password Policy

You can edit, delete, or duplicate a password policy.


  1. In the Security Console, click Authentication > Policies > Password Policies > Manage Existing.
  2. Do the following:
    Edit a password policy

    When you edit a password policy, you can change information such as the name of the password policy, minimum and maximum lifetime information, and character requirements.

    1. Click the policy that you want to edit, and select Edit.

    2. Make the necessary changes to the password policy.

    3. Click Save.

      If you have not saved your changes, you can click Reset to restore the password policy to its original state.

    Delete a password policy

    When you delete a password policy, the policy is removed from the deployment and can no longer be used. Each security domain must have a password policy. If you delete a password policy that is assigned to a security domain, the default password policy is automatically assigned to the security domain.

    Note: If you plan to delete the default password policy, you must first designate another password policy to take its place.

    1. Click the password policy that you want to delete, and select Delete.

    2. Click OK.

    Duplicate a Password PolicyWhen you duplicate a password policy, you create a password policy with identical password requirements. Information for the new policy, such as minimum length, maximum length, and character requirements, are the same as for the original policy.
    1. Click the policy that you want to duplicate, and select Duplicate.

    2. In the Password Policy Name field, enter a name for the password policy, and make any other necessary changes to the new password policy.

    3. Click Save.