Configuring password quality

Edit online

IBM® Verify Identity Access makes use of the PAM password quality checking module (pam_pwquality) for accounts which are used to access the local management interface.

For IBM Verify Identity Access environments established on version 10.0.0 or newer, the default password quality policy is:


Advanced tuning parameter	Value
`password.policy`	`minlen=8 dcredit=1 ucredit=1 lcredit=1`

For IBM Verify Identity Access environments established on earlier versions, password quality checking is not performed unless the password.policy tuning parameter is added manually.

When Password Quality checking is performed

Password quality checking is performed for the default admin account during any password change operation or for any System Account when the account is created or a password change operation is taking place.

Events which set a password using non-interactive methods such as silent configuration or bootstrapping processes when deploying in cloud environments are not subject to the password quality checking.

Configuring Password Strength Rules

The password quality policy is configured by setting or modifying the Advanced Tuning Parameter password.policy. The expected format of this parameter is a series of key-value pairs corresponding to pam_pw quality options.

To disable password quality checking, remove the Advanced Tuning Parameter password.policy.

Supported options

The following options from the pam_pw quality module can be used when authoring a password policy:

minlen
dcredit
ucredit
lcredit
ocredit
minclass
maxrepeat
maxclassrepeat

Note: Dictionary-based checking is not supported.