IBMid Password

Password creation

  • IBMid has incorporated a password strength estimator into Registration, Password Reset, and Password change. A password is evaluated for strength regardless of character makeup. Only passwords that are estimated as strong are accepted.
  • The creation of a password for one's IBMid requires that the password must meet minimum limits on strength and character content. These limits include:
    • Must be only single-byte characters. See Single-byte characters.
    • Must be 12 to 63 characters long
    • Must contain at least one number, one uppercase letter, and one lowercase letter
    • Can contain any special character from a standard keyboard
    • Cannot contain the phrase "password"
    • Cannot contain your IBMid
    • Cannot contain your First or Last name
    • Spaces cannot be used as the first and the last character. If provided, the password is considered without those spaces
  • When a password is changed or reset, the new password cannot be the same as the current or to the 24 prior used passwords.
  • Furthermore, only select user interfaces are entitled to access the APIs which allow for password creation (or update). These standard user interfaces then enforce a password meter which coaches user to create a stronger password than the minimum, and performs additional dictionary checks for common passwords and weak word combinations.
  • In accordance with the Italian Privacy Act, passwords for all Italian users expire every 90 days.

Tips to creating a strong password

  • Memorable to you but difficult for others to guess
  • Mixing upper and lowercase letters, numbers, and special characters adds complexity
  • Avoid obvious words (e.g., MyPassword2), proper names (e.g., Michael123), or pop culture icons (e.g., Superman1) as the part of your password

Password lockout

  • If a user, or malicious attacker, attempts to login with an incorrect password 5 consecutively times, regardless of the time period between the unsuccessful attempts, the user's IBMid will be locked out. An email is sent to the user's email address with a notification that the IBMid is locked. The lockout extends for 30 minutes, at which point the lockout is automatically cleared and the user is allowed to attempt authenticating again. The user can also reset their password, using the reset password flows, to clear a lockout.

  • This applies only to non-Federated IBMids. If a user has a Federated IBMid, it is the responsibility of the clients IdP to manage the account lockout.