Idea ID: 2876068

Enlarge Password Policy Password Expire Interval

Status: Needs Clarification

CC:    

Password expire intervals are usually kept short for improved security. Can you please help us understand how does changing 365 to 999 help your use case? 

Thanks.

See status update history

In an eDirectory password policy the maximal password expire interval is limited to 365 days. It would be nice if this limit could be enlarged to at least 999 days (or an unsigned int).

Switching off password expiring is not always an option because then one looses e.g. grace logins (for the start password etc.).

Tags:

  • The PM of OES asked me to move this to the eDirectory idea exchange!

    OpenText Community Manager
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • People will pay to be able to shoot themselves in the foot, and will choose products based on such ability.  They may not think of it in those terms, but the steady news of who has been breached lately always includes such choices of  "I want easiest as more important than security"  Imposing overly strong limits, reduces the number of mangers/manglers willing to buy a product.

    The current limit is clearly beyond an 8-bit number, so I don't imagine there being any big technical reason to extending it, even if we build "Danger" flags for when longer is chosen. People don't like to be 'nannied' much.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • In principle you are right - password expire intervals shouldn't be to long. But we have two issues.

    (A) For other directories (e.g. MS Active Directory) you can set the  password expire interval beyond 365 days. So, if you do some IdM synchronizations you should be able to set the same intervals in any directory to limit  user/support issues.

    (B) We are an University and management thinks that students should choose a good password at the beginning of their studies and keep it during their student's life - which takes about a little bit less than three years. If they need more time or change rôles they should be forced to use a new password.

    To switch off password ageing would open up new issues for us: No grace logins, no administrative password ageing, no expired password for newly created users etc.