Password Formula

Privileged Access Management Password Formulas (define complexity and length).

When PAM is used to automatically generate a new password, it uses the defined Formula in order to randomize a value that conforms to its requirements.

System Formulas can be unique to record types (i.e. a different formula for Windows vs Unix endpoints) or it can be unique to records themselves (i.e. a different formula for each Windows endpoint).

 

If you manually enter a new password to be used for the reset procedure, it also must meet the requirements defined in the formula.

To define your System formula on a record type, you will need to have the System Administrator role.

Once logged in with your System Administrator account, navigate to Administration > Record Types and then click the Edit button next to the record type you wish to update.

Finally, click the Formula button to open its configuration page. Make the required changes to the formula and then click the Save button to finalize the update.

 

To define your PAM formula on a record, you will need to have at least the Editor role for this record.

Once logged in, select the Manage > Formula option and then the Make Unique button on its configuration page to break the Formula inheritance.

Make the required changes to the formula and then click the Save button to finalize the update.

 

Password-Formula1.png

Once logged in, select the Manage > Formula option and then the Make Unique button on its configuration page to break the Formula inheritance.

Password-Formula3.png

XKCD generator to password formula

XKCD generator to password formula as an option to construct passwords from several dictionary words separated with the provided delimiter.

The strength and practical use of such passwords popularized by XKCD comic strip as those that are easy for people to remember and hard to computers to break.

XKCD password generator allows to specify the number of words to use, the set of separators and number of lower- and upper-case letters in the passwords as an alternative to traditional requirements for the presence of numbers, special characters, upper- and lower-case characters in the passwords.

Password-Formula4.png

Make the required changes to the formula and then click the Save button to finalize the update.

Formula Options

The following options are available when configuring your PAM formula. Enter a zero to exclude the option from the formula.

  • XKCD Formula: Formula that allows to generate a password from several random words of English dictionary separated with specified delimiter. This kind of password is much easier to remember.
  • Minimum Password Length: Define the minimum number of characters. Must be a value or 1 or higher.
  • Maximum Password Length: Define the maximum number of characters. Be aware of the password length limit on your systems when entering this value. Older systems may be not support extremely long passwords which could result in errors.
  • Minimum Number of Upper Case Characters: Define the minimum number of upper case characters.
  • Minimum Number of Lower Case Characters: Define the minimum number of lower case characters.
  • Minimum Number of Numeric Characters: Define the minimum number of numeric characters.
  • Minimum Number of Special Characters: Define the minimum number of non-alphanumeric characters. You may also customize the list of available non-alphanumeric characters that can be used.
  • Minimum Number of Whitespace Characters: Define the minimum number of whitespace (spaces) characters.
  • Forbid Using User Name: Enable this option to forbid the user from entering their name in the password.

PAM will not allow you to create a formula where your combined minimum number options does not conform to your min / max password length. For example, if you formula has a password length of 20-30 (min-max) characters and you attempt to define a minimum of 10 upper, 10 lower, 10 numeric and 10 special characters. This will generate a password of at least 40 characters which is outside of the permissible range.

To create a custom dictionary, add a list of words in the text file eng_words.txt one word per line, zip the file in the eng_words.zip and copy the ZIP in the $PAM_HOME/content/templates folder. Use the default dictionary located in the $PAM_HOME/web/webapps/pam/templates/eng_words.zip as an initial template.

< Generate Strong, Unique Passwords