top of page
  • Shawn McKinney

What are Password Policies?


A set of rules surrounding the content, quality and lifecycle of a password.


Helps to safeguard the integrity of password values within a particular security domain. With moves toward Multi-Factor Authentication (MFA) and other biometric authentication measures one can make the argument that the password’s days are numbered. Nevertheless they remain in use widely today and will continue for the foreseeable future.


Define a set of rules to be enforced during a password lifecycle event. An example of a lifecycle event is authentication, password change and password expiration. There are a few standards that govern how systems should behave in this area.


Apache Fortress adheres to IETF Password Policy Draft. While this draft was never formally adopted it has traction within the various directory implementations and remains the de facto standard today.


Password enforcement options include:

  1. A configurable limit on failed authentication attempts.

  2. A counter to track the number of failed authentication attempts.

  3. A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.

  4. The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.

  5. An amount of time the account is locked (if it is to be locked) This can be indefinite.

  6. Password expiration.

  7. Expiration warning

  8. Grace authentications

  9. Password history

  10. Password minimum age

  11. Password minimum length

  12. Password Change after Reset

  13. Safe Modification of Password

  14. Password Policy for LDAP Directories

218 views0 comments

Recent Posts

See All

OpenLDAP & LMDB Sizing Guide

Jan 17, 2022 Introduction Symas OpenLDAP configured with LMDB has been extensively tested and its performance characteristics are well understood. Both OpenLDAP and LMDB’s scaling characteristics are

Implementing LDAPS in Symas OpenLDAP 2.5+

Please note that the certificates must be in a pem format (.pem or .crt). You will need three certificates: Root CA certificate, server certificate (with the fqdn of server in subject line or in the s


bottom of page