Idea ID: 2786794

update universal password policy to support latest NIST guidelines

Status : Waiting for Votes
Waiting for Votes
See status update history
over 1 year ago
https://pages.nist.gov/800-63-3/sp800-63b.html

Current behavior - password expires when admin resets only works if "Number of days before password expires" is enabled.

Proposed behavior - password expires when admin resets without configuring a password lifetime

To reproduce: create a policy with "Do not expire the user's password when the administrator sets the password" set to FALSE, and all boxes under "Password Lifetime" left UNCHECKED. Despite the policy dictating that the password should be expired after the admin resets it, this does not occur, and the user is able to authenticate successfully using the new password.

However, after checking the box "Number of days before password expires" and setting a value, then resetting the password as admin, the password DOES expire.

The concern is that the new NIST guidelines for password policies dictate that passwords should not be expired on a regular interval - only when a breach occurs. We should not have to enable a password lifetime to expire the password after an admin reset. We have this functionality with NDS Password, but not Universal Password.

Labels:

Configuration