The password policies endpoints implement functions to list password policies associated with an environment, get information about a specific password policy, and modify a password policy’s attributes. PingOne provides the following three pre-defined password policies:

Basic

A relaxed standard policy to allow for maximum customer flexibility. Requirements include:

Note: The basic password policy does not have an expiration rule. When this password policy is in effect, user passwords do not expire.

Standard

A standard password policy that incorporates industry best practices. Requirements include:

Passphrase

A password policy that accepts the use of passphrases. Requirements include:

To perform password policy management operations, you need to know the environment ID for the associated password policy.

Password policies data model

Property Description
bypassPolicy A boolean that specifies whether the user’s password policy should be ignored. If this property is omitted from a set password request, its value is set to false.
currentPassword A string that specifies the current password that must be verified before the new password is set. Required for self change (when the user whose password being changed is the same as the actor in the access token) when the user already has a password.
default Boolean that specifies whether this password policy is enforced within the environment. When set to true, all other password policies are set to false.
description A string that specifies the brief description of the password policy.
environment.id A string that specifies the ID of the environment resource referenced by this relationship.
excludesCommonlyUsed Boolean that ensures the password is not one of the commonly used passwords.
excludesProfileData Boolean that ensure the password does not match (exact and substring) the value of any attribute in the user’s profile, such as name, phone number, or address.
history.count An integer that specifies the number of prior passwords to keep for prevention of password re-use. The value must be a positive, non-zero integer.
history.retentionDays An integer that specifies the length of time to keep recent passwords for prevention of password re-use. The value must be a positive, non-zero integer.
id A string that specifies the password resource’s unique identifier.
length.max An integer that specifies the maximum number of characters allowed for the password. This property is not enforced when not present.
length.min An integer that specifies the minimum number of characters required for the password. This property is not enforced when not present.
lockout.durationSeconds An integer that specifies the length of time before a password is automatically moved out of the lock out state. The value must be a positive, non-zero integer.
lockout.failureCount An integer that specifies the number of tries before a password is placed in the lock out state. The value must be a positive, non-zero integer.
maxAgeDays An integer that specifies the maximum number of days the same password may be used before it must be changed. The value must be a positive, non-zero integer.
The value must be greater than the sum of minAgeDays (if set) + 21 (the expiration warning interval for passwords).
maxRepeatedCharacters An integer that specifies the maximum number of repeated characters allowed. This property is not enforced when not present.
minAgeDays An integer that specifies the minimum number of days a password must be used before changing. The value must be a positive, non-zero integer. This property is not enforced when not present.
minCharacters A set of key-value pairs where the key is a string containing all the characters that may be included and the value is the minimum number of times one of the characters must appear in the password. The only allowed keys are ABCDEFGHIJKLMNOPQRSTUVWXYZ, abcdefghijklmnopqrstuvwxyz, 0123456789, and ~!@#$%^&*()-_=+[]{}\|;:,.<>/?. This property is not enforced when not present.
minComplexity An integer that specifies the minimum complexity of the password based on the concept of password haystacks. Value is number of days required to exhaust the entire search space during a brute force attack. This property is not enforced when not present.
minUniqueCharacters An integer that specifies the minimum number of unique characters required. This property is not enforced when not present.
name A string that specifies the name of the password policy. This value must be unique within the environment.
newPassword A string that specifies the new password.
notSimilarToCurrent Boolean that ensures that the proposed password is not too similar to the user’s current password based on the Levenshtein distance algorithm.

Response codes

Code Message
200 Successful operation.
400 The request could not be completed.
401 You do not have access to this resource.
404 The requested resource was not found.