A password policy defines users’ password length, format, and frequency of change. You assign password policies to security domains. The policy applies to all users who are assigned to that security domain. Note that user password policies do not apply to Operations Console administrators.
All RSA Authentication Managerusers must have a password as part of their user record. If you use the Authentication Manager internal database as your identity source, the password is stored in the internal database.
If you use an LDAP directory as your identity source, the password field in the Authentication Manager user record may be mapped to the LDAP directory password. This password may be used to log on to other applications or resources within your organization. If policy permits, administrators may also use an LDAP-mapped password to log on to the Security Console.
Password characteristics are controlled by password policies.
Authentication Manager password policies only apply to users in the internal database. When users are stored in an LDAP directory, the directory password policy applies.
When you set up Authentication Manager, a default password policy is automatically created. You can edit this policy, or create a custom password policy and designate it as the default.
One password policy is always designated as the default policy. When you create new security domains, Authentication Manager automatically assigns the default password policy to the new security domains. You can use the default password policy or assign a custom policy to each security domain.
Password policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy are still assigned the default password policy.
Enabling system-generated passwords requires users to use passwords generated by Authentication Manager according to the password policy applied to the users’ security domain. Enabling this option ensures that users’ passwords are random and therefore less likely to be guessed by an unauthorized person attempting to access your network. When users are initially assigned their password, or when their passwords expire, they are prompted to choose from a list of system-generated passwords when they attempt to use their password.
You need to balance security needs with consideration of what is reasonable to expect from users. Requiring a long password may be counter productive and hard to remember, locking more users out of the network and generating calls to the Help Desk.