You can use password intelligence to monitor, warn, or prevent the use of weak
passwords.
About this task
IBM® Password intelligence allows administrators to enforce and
increase the IBM Security Verify capabilities for
fine-granular level access management. You can use either the IBM Security X-Force dictionary list
or your custom password list, or both.
Enforcement
options
- Audit
- This option includes an audit log record. The audit log checks the password to determine whether
the password is in one of the bad passwords lists. The user is not notified and the login proceeds.
Note: Logs are generated for all enforcement options.
- Warn users with a message.
- A warning message is issued, but the login proceeds.
- Block action and require user to use a more secure password.
- A warning message is issued, and the user is redirected to a change password flow.
The priorities of the settings are the lowest to highest priority,
Audit, Warn, then Enforce. For
example, if you have the Audit option set on your custom list enforcement and
a Warn option set on the X-force enforcement, and both lists have the bad
password, the Warn option is used rather than the
Audit option.
Note: If
you select the last option Prevent login and redirect users to a change password
experience for the user login flow, Block action and require user to use a
more secure password is selected for the Create account, password reset and
change password flows.
Procedure
- Log in to your tenant Console as an
administrator.
- Select .
- Select Intelligence List.
- Select .
. The Add new password configuration
selection is displayed.
- Select whether to use the IBM Security
X-Force® list.
- Select the enforcement for the user login flow.
The enforcement applies to
existing users who already have passwords.
- Select the enforcement for the create account, password reset, and change password
flows.
The enforcement applies to new accounts and when existing users change or rest
their passwords.
- Select whether to use a custom password list.
- Click the Password Intelligence download icon to download the
Password_intelligence_list.csv file.
- Open the .csv file and add passwords to the file.
The
.csv format must be addressed by the Common Format and MIME type for
comma-separated values
.csv files. The
.csv file supports all
Unicode (UCS) characters by using
UTF-8 character
encoder. The
maximum file size is 20 MB. The maximum is 1,000,000 password and the values that contain a special
character such as a
comma must be enclosed in double quotation marks.
Only the
first column of the custom list is used. This column has the header value password.
password
badpassword
"bad""pass,word2"
Note:
- The first line (1) of the file must contain the following column
value.
password
- Column values and names are separated by the comma
character.
{[(.. , .. )]}
The custom denial list uses the first column only.
Comma separation is not needed.
- Subsequent lines (2 → …) contain the values for the column.
- Each line is stopped by a CRLF character sequence.
- If the value contains a double quotation mark, CR, LF, or comma
characters, then surround each value with double quotation marks.
In this scenario, if the value
contains any of these special characters, then the whole value must be prefixed and suffixed by
double quotation marks.
Any embedded double quotation marks " must be doubled "".
- All space characters are significant.
Note: This rule has higher relevance when exists multiple
comma-separated columns.
-
Note: The Cloud Directory REST API for user and group import is public, which uses
.csv files to import the values for the users and groups.
- Save and upload the file.
The content of the file is uploaded to the
content of the Password_Intelligence_List.csv file.
- Select the enforcement for the user login flow.
The enforcement applies to
existing users who already have passwords.
- Select the enforcement for the create account, password reset, and change password
flows.
The enforcement applies to new accounts and when existing users change or rest
their passwords.
- Select Save changes.