Dear community,
we want to change our password policy and set more restrictive password rules. We use a organizational security policy to set the password restrictions.
The question is: when will the new settings be taken into account? The next time users log in or the next time they change their password?
We would like to ensure that users are only prompted to change their password when their current password expires and then have to assign themselves a new password in accordance with the stricter rules. Is this behaviour feasible?
Thanks in advance for your replies.
Kind regards
Michael
This will not invalidate the old passwords since there is no way to guage the complexity of the existing password from its hash which is actually saved. You will be able to do what you are attempting. Best is to try this out.
Havent tested it though.
Hi @Rajneesh Sharma ,
thanks for your reply.
May be I should clarify 'invalidate passwords'. For me, it means that users whose current password does not comply with the new policies will be asked to change their password immediately. It does not mean that all users will change their password.
For testing, we created a new 'explicit' policy and assigned it to some users for testing. These users received a notification immediately on their next login that their password did not comply with the policy and were prompted to change it. Franky speaking that was not what we expected. We had the same thoughts as you.
Kind regards
Michael
that implies, regardless of the complexity of the old password, the users are forced to change the pw. Strange. It seems like the same stick being used for all regardless of whether you already complied with the new policy or not.
Did you try selecting no for change password on first notes client use?
Ok, next clarification.
Not all test users were promted to change the password. Only those users whose passwords didn't comply with the new policy. I didn't mention this.
Then i guess my answer was wrong.
But worth finding out if the actual password is saved instead of the hash. I thought only hashes were saved from v 10 onwards.
How does the adherance to new pw policy get checked if pws are not saved?
This is exactly the question I asked myself.
My explanation would be that the client directly compares the password entered with the saved security policy. Only the hash is saved.
Security wise it would make sense never to save the pw but instead just the hash. But maybe our interpretation was misplaced. However, i dont know the internals, but one method could be to save the complexity of the pw as some metric. And use that as the comparison method to check for adherence to the pw policy , as in the case being discussed.