Custom password policies

Information protection and data privacy laws include specific requirements for the selection of secure passwords for identity verification. To help users comply with these laws, IBM® Domino® includes the ability to implement password restrictions on a policy basis. Administrators can enforce password requirements that will fit almost any set of corporate or government security requirements.

Custom password policies are created and applied through a Security Policy Settings document.

Through a custom password policy, administrators can restrict or prohibit the use of the following in user passwords:

  • user name as part of the password
  • repeating characters
  • unique characters
  • use of special characters (punctuation characters) such as ! " # % & ' ( ) *, . / : ; ? @ [ \ ] _ { }
  • use of numbers, uppercase and lowercase characters
  • starting or ending passwords with certain character types
  • combinations of non-lowercase characters

While custom password policies can be applied to all users, it should be noted that the requirement to change password on first log in can only apply to new users who have had the policy applied to them at registration. Users who are already registered will not be required to change their passwords when they login after the policy has been applied.

If the policy has been applied to a new user, the user must first authenticate with the server in order to be prompted to change password first use.

Custom password policies are downloaded to the Notes® ID file when a user first authenticates to the home server. Once stored in the ID file, the policy settings will apply to the user's password the next time a user logs in to the IBM Notes client, and the user will be prompted to change the password upon first use.

If the user does not change the password to conform to the policy, or cancels out of the Change Password dialog, the user receives an error message stating that the password does not meet policy requirements, and the Notes client shuts down.

Custom password policies do not have many validation checks. It is possible for an administrator to create a policy such that no password will ever meet the requirements (for example, maximum length = 4, minimum password quality = 8 ). Administrators need to make sure that the password policies they implement make sense and can be implemented.

Note: Even if you establish a customized password policy, you must still enable Check passwords on Notes IDs in the server document in order for Domino to check password history.

Restrictions

Custom password policy settings will not:

  • support random password generation, either through User Registration or the User Security
  • apply to IDs protected with multiple passwords
  • apply to IDs protected with Smartcards