Skip to main content

Set Up Password Manager Policies

Password policies are critical to securing access to an organization’s resources. EmpowerID provides flexible, customizable Password Manager Policies that enforce password complexity, expiration, login controls, and self-service recovery mechanisms.

This article walks through creating and configuring a new Password Manager Policy in EmpowerID. The concepts and settings described here also apply when modifying existing policies.

Default Policy Behavior

By default, EmpowerID assigns users discovered during inventory to the Default Password Manager Policy. You can modify this default policy or create custom policies and assign them to specific users or groups.

Prerequisites

  • EmpowerID administrator access
  • Familiarity with password security and MFA principles
  • EmpowerID Web UI access
  • Email server configured (for password expiration notifications)

Create a Password Manager Policy

  1. In the EmpowerID Web UI, navigate to Password Management > Password & Login Policies.
  2. Click the Add New Policy button.
    Add New Policy Button
  3. In the Policy Details form, under the General tab, complete the following fields:
    • Name
    • Display Name
    • Description
  4. Configure desired settings as described in the sections below.
  5. Click Save.

General Settings

Password Complexity Settings

Set password rules that govern character requirements and composition.

  • Password Use Windows Complexity: Enforces Microsoft AD password complexity. Overrides all other complexity settings.
  • Otherwise, configure the following:
SettingDescription
Min LengthMinimum number of characters required
Max LengthMaximum number of characters allowed
Min DigitsMinimum number of digits
Min Special CharactersMinimum number of special characters
Maximum Pairs of Repeating CharactersMaximum number of repeated character pairs
Restrict First X Characters Of LoginNumber of starting username characters disallowed in password (e.g. 3 forbids first 3 letters)
Password Requires Mixed CaseEnforces mixed uppercase and lowercase
Require Leading LetterPassword must start with a letter
Require Mainframe CompatibilityLimits to 8 characters, no special characters
Regular Expression ValidatorOptional RegEx to validate password format (adds to other constraints)
Password Prevent Username WordsForbids username in password
Password Prevent Dictionary WordsForbids use of dictionary words
Dictionary Word SetSpecifies dictionary to enforce forbidden words
Dictionary Word Sets

EmpowerID includes two default Dictionary Word Sets. You can edit them or create your own.
See: Configure Dictionary Words for Password Policies

Password Change Policy Settings

Controls when and how users may or must change passwords.

SettingDescription
Password Prevent ChangePrevents user-initiated password changes
Password Allow Reuse After X DaysTime period before a password can be reused
Password Allow Reuse After X ChangesNumber of changes before a password can be reused
Password Require Change Every X DaysMaximum password age
Min Age to Allow Change (X Days)Minimum password age before allowing change
Notify X Days Before ExpiresDays before expiration to notify user
ReNotify Every X DaysRepeat interval for expiration reminders
Password Expiration NotificationEnables the workflow that sends expiration emails
Enable Email Alerts

To send password expiration emails, the Password Expiration Notification permanent workflow must be enabled.

Authentication Settings

Login Policy Settings

Define login behavior and multifactor requirements.

SettingDescription
Min Login LoA if LocalRequired MFA points for internal users
Min Login LoA if RemoteRequired MFA points for external users
Min Passwordless Login LoA if LocalMFA points required for internal passwordless login
Min Passwordless Login LoA if RemoteMFA points required for external passwordless login
Default Home PagePost-login redirect URL (relative, e.g., #N/ITShop/SelfService)
Attempts Before LockoutFailed login attempts before lockout
Login Lockout Failure WindowTime window (minutes) to count failed attempts
Login Lockout Duration (Minutes)Lockout duration after limit is reached
Allow Remembered Registered DeviceEnables remembered devices
Allow Remember Registered Device X DaysDays to remember trusted devices
Login Behavior Notes
  • MFA points must meet or exceed the LoA (Level of Assurance) value.
  • If Default Home Page is empty, users land on their personal dashboard.
  • Home page overrides set directly on a person take precedence over policy settings.

One-Time Password Lockout Settings

Configure lockout settings for one-time password (OTP) authentication failures.

SettingDescription
One Time Password Attempts Before LockoutOTP failures before lockout
One Time Password Attempts Window (Minutes)Time window to evaluate OTP failures
One Time Password Lockout Duration (Minutes)Lockout time for OTP failures

LDAP Policy Settings

Settings for EmpowerID Virtual Directory users.

SettingDescription
Allow LDAP AuthenticationEnables LDAP auth for VDS users
Require 2nd Factor for LDAPRequires MFA (OATH token)
Enable Login if no Token AssignedAllows login without OATH token

RADIUS Policy Settings

Settings for RADIUS-based authentication.

SettingDescription
Allow RADIUS AuthenticationEnables RADIUS authentication
Require 2nd Factor for RADIUSRequires MFA (OATH token)
Enable RADIUS Login if no Token AssignedAllows login without OATH token

Custom Login Handler

Use this if implementing a custom login workflow.

SettingDescription
Login Handler AssemblySpecifies custom handler assembly
Login Handler TypeSpecifies login handler type name

Self-Service Password Reset Settings

Password Reset Recovery

Configure options for forgotten password recovery workflows.

SettingDescription
Enable Multifactor Reset During RecoveryRequires MFA to reset forgotten password
Enable Question Answer Reset During RecoveryRequires challenge questions for reset
Force Enrollment During LoginForces enrollment on first login

Password Reset Multifactor Requirements

Used if MFA is enabled for recovery.

SettingDescription
Min Reset LoA if LocalLoA points required internally
Min Reset LoA if RemoteLoA points required externally

Password Reset Enrollment Settings

Used if challenge questions are enabled for recovery.

SettingDescription
Number of Custom Questions Asked for EnrollmentCustom questions users must define
Number of Selectable Questions Asked for EnrollmentPredefined questions users must answer
Number of Help Desk Questions Asked for EnrollmentQuestions answered for Helpdesk use
Expire Enrollment After (Days)Days until enrollment expires
Number of Recovery Questions Asked for Password ResetQuestions asked during reset
Number of Recovery Minimum Answers for Password ResetCorrect answers required to proceed
Enrollment Prevent Duplicate AnswersForbids reusing answers
Enrollment Prevent Question Word in AnswerForbids using question words in answers
Enrollment Expiration EnabledEnforces re-enrollment based on expiration setting

Password Reset Lockout Settings

Define how recovery lockouts are handled.

SettingDescription
Enable Reset Center Lockout PolicyEnables recovery center lockout
Allow X Attempts Before LockoutFailed challenge attempts before lockout
During an X Minute WindowTime window for evaluating failures
Lockout DurationMinutes before locked-out users can retry
Bypass Min Password AgeAllows users to bypass password age restrictions
Bypass Password HistoryAllows reuse of old passwords when recovering

User Agreements

To assign usage agreements to a Password Manager Policy:

  1. Navigate to Password & Login Policies.

  2. Locate and click the Display Name of the desired policy.

  3. On the View page, expand the User Agreements section.

  4. Click Add New and complete:

    • Name
    • Display Name
    • Usage Agreement Text (HTML)
    • Description
    • Priority (Lower is Higher)
    • Version

  5. Click Save.

Once saved, users must accept the agreement on their next login.

User Agreement Example