Managing password intelligence

You can use password intelligence to monitor, warn, or prevent the use of stolen, common, or known passwords.

About this task

IBM® Password intelligence allows administrators to enforce and increase the IBM Verify capabilities for fine-granular level access management. You can use either the IBM Security X-Force dictionary list or your custom password list, or both.

Enforcement options
Audit
This option includes an audit log record. The audit log checks the password to determine whether the password is in one of the bad passwords lists. The user is not notified and the login proceeds.
Note: Logs are generated for all enforcement options.
Warn users with a message.
A warning message is issued, but the login proceeds.
Block action and require user to use a more secure password.
A warning message is issued, and the user is redirected to a change password flow.
The priorities of the settings are the lowest to highest priority, Audit, Warn, then Enforce. For example, if you have the Audit option set on your custom list enforcement and a Warn option set on the X-force enforcement, and both lists have the bad password, the Warn option is used rather than the Audit option.
Note: If you select the last option Prevent login and redirect users to a change password experience for the user login flow, Block action and require user to use a more secure password is selected for the Create account, password reset and change password flows.

Procedure

  1. Log in to your tenant Console as an administrator.
  2. Select Security > Password Management.
  3. Select Intelligence List.
  4. View the Default password intelligence policy settings.
    1. Select whether to use the IBM Security® X-Force® list.
    2. Select the enforcement for the user login flow.
      The enforcement applies to existing users who already have passwords.
    3. Select the enforcement for the create account, password reset, and change password flows.
      The enforcement applies to new accounts and when existing users change or reset their passwords.
    4. Save any changes.
  5. Select whether to use a global custom password list.
    1. Select Download custom password list to download the Password_intelligence_list.csv file.
    2. Open the .csv file and add passwords to the file.
      The .csv format must be addressed by the Common Format and MIME type for comma-separated values .csv files. The .csv file supports all Unicode (UCS) characters by using UTF-8 character encoder. The maximum file size is 20 MB. The maximum is 1,000,000 password and the values that contain a special character such as a comma must be enclosed in double quotation marks.

      Only the first column of the custom list is used. This column has the header value password.

      password
badpassword
"bad""pass,word2"
      Note:
      • The first line (1) of the file must contain the following column value.
        password
      • Column values and names are separated by the comma character.
        {[(.. , .. )]}
        The custom denial list uses the first column only. Comma separation is not needed.
      • Subsequent lines (2 → …) contain the values for the column.
      • Each line is stopped by a CRLF character sequence.
      • If the value contains a double quotation mark, CR, LF, or comma characters, then surround each value with double quotation marks.

        In this scenario, if the value contains any of these special characters, then the whole value must be prefixed and suffixed by double quotation marks.

        Any embedded double quotation marks " must be doubled "".

      • All space characters are significant.
        Note: This rule has higher relevance when exists multiple comma-separated columns.
      • Note: The Cloud Directory REST API for user and group import is public, which uses .csv files to import the values for the users and groups.
    3. Save and upload the file.
      The content of the file is uploaded to the content of the Password_Intelligence_List.csv file.
  6. Create a custom intelligence policy
    1. Select Create policy and provide the general information.
    2. Select whether to use the IBM Security X-Force list.
      If you enable the X-Force list, select the enforcement for the enforcement on the user login flow and the create account, password reset and change password flow
    3. Select whether to use the custom passwords list
      If you enable the custom password list, select the enforcement for the enforcement on the user login flow and the create account, password reset and change password flow
  7. Select Save .

What to do next

If you identity provider supports an password intelligence policy, you can select the policy under the Intelligence policy section of your identity provider configuration.