Password policies are scoped to the environment, enabling you to set default password policies for all users in the environment. The password policies are applied to users through populations in the environment. You can assign a password policy to a population using either Update Population or Create Population. You cannot delete a password policy if it is set as the default for the environment, or is referenced by a population.
Each environment is initialized with 3 password policies: “Standard”, “Passphrase”, and “Basic”. The password requirements for each policy are configurable (toggled on/off in the PingOne admin console), as are the password policy rules. When updating a password policy, the password policy rules are configurable by including or excluding the rule property or properties from the payload.
The pre-defined password policies have the following requirements:
| Policy | Requirements |
|---|---|
| Basic | A relaxed standard policy to allow for maximum customer flexibility. The basic password policy does not have an expiration rule. When this password policy is in effect, user passwords do not expire. Requirements include: |
| The password will be checked against a list of most commonly-used passwords. | |
| The password must be between 8 and 255 characters. | |
| The password must have at least 1 of the following characters: 1234567890 | |
| The password must have at least 1 of the following characters: abcdefghijklmnopqrstuvwxyz | |
| The password must have at least 1 of the following characters: ABCDEFGHIJKLMNOPQRSTUVWXYZ | |
| The password must have at least 1 of the following characters: ~!@#$%^&*()-_=+[]{} | |
| The user’s account will lockout after 5 failed attempts for 15 minutes. Repeated attempts of the same password will not be counted as failed attempts. | |
| Standard | A standard password policy that incorporates industry best practices. Requirements include: |
| The password will be checked to make sure it doesn’t match strings that appear in the user’s identity data. | |
| The password will be checked to make sure it is not too similar to the user’s current password. | |
| The password will be checked against a list of most commonly-used passwords. | |
| The password cannot have more than 2 repeated characters. | |
| The password must have a minimum of 5 unique characters. | |
| The password must be between 8 and 255 characters. | |
| The password must have at least 1 of the following characters: 1234567890 | |
| The password must have at least 1 of the following characters: abcdefghijklmnopqrstuvwxyz | |
| The password must have at least 1 of the following characters: ABCDEFGHIJKLMNOPQRSTUVWXYZ* The password must have at least 1 of the following characters: ~!@#$%^&*()-_=+[]{} | |
| The password will expire every 182 days. | |
| Passwords can be changed after 1 day. | |
| 6 prior passwords will be maintained in the password history count for a maximum of 365 days. | |
| The user’s account will lockout after 5 failed attempts for 15 minutes. Repeated attempts of the same password will not be counted as failed attempts. | |
| Passphrase | A password policy that accepts the use of passphrases. Requirements include: |
| The password will be checked to make sure it doesn’t match strings that appear in the user’s identity data. | |
| The password will be checked to make sure it is not too similar to the user’s current password. | |
| The password will be checked against a list of most commonly-used passwords. | |
| The password must have a complexity of at least 7 days, based on the Gibson Research Corporation Password Haystacks concept. | |
| The password will expire every 182 days. | |
| Passwords can be changed after 1 day. | |
| 6 prior passwords will be maintained in the password history count for a maximum of 365 days. |
For information about the specific password property values set for each pre-defined password policy, see the response data for Read All Password Policies.
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
bypassPolicy |
Boolean | Optional | Mutable | Determines whether the password policy for a user will be ignored. If this property is omitted from a Create Password Policy request, its value is set to false. |
createdAt |
Date | Required | Immutable | The date and time the resource was created (format ISO-8061). |
default |
Boolean | Optional | Mutable | Indicates whether this password policy is enforced within the environment. When set to true, all other password policies are set to false. |
description |
String | Optional | Mutable | Specifies the brief description of the password policy. |
environment.id |
String | Required | Immutable | The ID of the environment resource referenced by this relationship. |
excludesCommonlyUsed |
Boolean | Optional | Mutable | Set this to true to ensure the password is not one of the commonly used passwords. |
excludesProfileData |
Boolean | Optional | Mutable | Set this to true to ensure the password is not an exact match for the value of any attribute in the user’s profile, such as name, phone number, or address. |
history.count |
Integer | Optional | Mutable | Specifies the number of prior passwords to keep for prevention of password re-use. The value must be a positive, non-zero integer. |
history.retentionDays |
Integer | Optional | Mutable | The length of time to keep recent passwords for prevention of password re-use. The value must be a positive, non-zero integer. |
id |
String | Required | Immutable | The password resource’s unique identifier. |
length.max |
Integer | Optional | Mutable | The maximum number of characters allowed for the password. Defaults to 255. This property is not enforced when not present. |
length.min |
Integer | Optional | Mutable | The minimum number of characters required for the password. This can be from 8 to 32 (inclusive). Defaults to 8 characters. This property is not enforced when not present. |
lockout.durationSeconds |
Integer | Optional | Mutable | The length of time before a password is automatically moved out of the lock out state. The value must be a positive, non-zero integer. |
lockout.failureCount |
Integer | Optional | Mutable | The number of tries before a password is placed in the lockout state. The value must be a positive, non-zero integer. |
maxAgeDays |
Integer | Optional | Mutable | The maximum number of days the same password can be used before it must be changed. Defaults to 90 days. When the maxAgeDays value is reached, it automatically resets to the assigned value. The value must be a positive, non-zero integer.The value must be greater than the sum of minAgeDays (if set) + 21 (the expiration warning interval for passwords). |
maxRepeatedCharacters |
Integer | Optional | Mutable | The maximum number of repeated characters allowed. This property is not enforced when not present. |
minAgeDays |
Integer | Optional | Mutable | The minimum number of days a password must be used before changing. The value must be a positive, non-zero integer. This property is not enforced when not present. |
minCharacters |
Object | Optional | Mutable | Contains name-value pairs where the name includes all characters in the set, and the value is the minimum number of times one of the characters in the set must appear in the password. The only allowed keys are ABCDEFGHIJKLMNOPQRSTUVWXYZ, abcdefghijklmnopqrstuvwxyz, 0123456789, and ~!@#$%^&*()-_=+[]{}|;:,.<>/?. This property is not enforced when not present. |
minComplexity |
Integer | Optional | Mutable | The minimum complexity of the password based on the concept of password haystacks. The value is the number of days required to exhaust the entire search space during a brute force attack. This property is not enforced when not present. |
minUniqueCharacters |
Integer | Optional | Mutable | The minimum number of unique characters required. This property is not enforced when not present. |
name |
String | Optional | Mutable | The name of the password policy. This value must be unique within the environment. |
notSimilarToCurrent |
Boolean | Optional | Mutable | Set this to true to ensure that the proposed password is not too similar to the user’s current password based on the Levenshtein distance algorithm. The value of this parameter is evaluated only for password change actions in which the user enters both the current and the new password. By design, PingOne does not know the user’s current password. |
populationCount |
Integer | Required | Immutable | Returned in the response. The number of populations associated with the password policy. |
updatedAt |
Date | Required | Immutable | The date and time the resource was last updated (format ISO-8061). |
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
| Service | Event |
|---|---|
| password-policies | POLICY.UPDATED |
| Code | Message |
|---|---|
| 200 | Successful operation. |
| 400 | The request could not be completed. |
| 401 | You do not have access to this resource. |
| 404 | The requested resource was not found. |