Set password policies

This topic describes how to specify user password expiration rules, expiration notifications, complexity requirements, and other related constraints.

One rule may rely on another rule, so read the associated UI help text thoroughly. Hover your mouse over the associated “i” for the help text information.

If you do not make any configuration changes, the default rules are enforced.

Set password complexity requirements

You can specify the complexity requirements users must meet when creating their user passwords. If you do not make any changes, the default requirements are enforced.

To specify user password requirements

  1. Log in to the Identity Administration portal.

  2. Click Core Services > Policies.

  3. Select the relevant policy set or create a new one.

  4. Go to User Security Policies > Password Settings and configure user password requirements.

    Explanations for each option are available in the associated UI help.

    Contact Support password if expiration notifications are not sent as expected. This feature requires tenant configuration.

  5. Click Save.

Configure user password change options

Enable your users to change their passwords for their directory service account used to log in to CyberArk Identity. If the users log in to a Windows or Mac machine enrolled through the appropriate cloud agent using the same user account, changing the password also changes the log in to the machine.

This user password change option is independent of those available in User Security Policies > Self Service > Password Reset. Self-service password reset (SSPR) allows users to change their password only when they have forgotten it; this topic describes how to enable them to change it at any time.

To configure user password change options

  1. Log in to the Identity Administration portal.
  2. Click Core Services > Policies.
  3. Select the relevant policy set or create a new one.
  4. Click User Security Policies > User Account Settings.

  5. Select Yes in the Enable user to change their passwords drop-down list.

    If this policy is set to No and you use the Maximum password age policy to set an expiration date for the password, users will not be able to reset their password. Instead, an administrator will have to reset the password for them.

    This policy only affects the display of the Change Password option on the user portal Account page and the Mac Cloud Agent menu (accessible from the menu bar on a Mac).

    Separately, you can set a policy that enables users to reset their password from the user portal login prompt (for example, if they forget their password). See Configure password reset self-service options.

  6. (Optional) Select from the Authentication Profile drop-down list to specify the authentication mechanism users must provide to change their password.

    See Creating authentication profiles for authentication profile information.

  7. Click Save.

    Your users can now change their passwords in accordance with the policy settings configured here. Direct your users to Change your password for more information about how they can change their passwords.

Lock user accounts after failed login attempts

Use the Capture Settings area of the Password Settings page in a policy to lock user accounts after a given number of failed login attempts. At your discretion, failed login attempts can include failed MFA inputs.

To lock user accounts after failed login attempts

  1. Log in to the Identity Administration portal.
  2. Click Core Services > Policies.
  3. Select the relevant policy set or create a new one.
  4. Click User Security Policies > Password Settings.

  5. Select a number for Maximum consecutive failed login attempts allowed within window.

    The default value 100.

  6. Select a radio button to determine whether to count only failed password entries, or all failed authentication mechanisms.

    Option Description
    Only count failed password attempts Only a user's failed password entries count against the set maximum failed login attempts.
    Count all failed login attempts Any failed authentication mechanism input counts against the set maximum failed login attempts. For example, a failed security question answer, OTP code, etc.

  7. Set the capture window for consecutive failed login attempts.

    The default value is 30 minutes.

  8. Set the lockout duration.

    The default value is 10 minutes.

  9. Click Save.