Set password policies

This topic describes how to specify user password expiration rules, expiration notifications, complexity requirements, and other related constraints.

One rule may rely on another rule, so read the associated UI help text thoroughly. Hover your mouse over the associated “i” for the help text information.

If you do not make any configuration changes, the default rules are enforced.

Set password complexity requirements

You can specify the complexity requirements users must meet when creating their user passwords. If you do not make any changes, the default requirements are enforced.

To specify user password requirements

  1. Log in to the Admin Portal.

  2. Click Core Services > Policies.

  3. Select the relevant policy set or create a new one.

  4. Click User Security Policies > Password Settings.

  5. Specify the following user password requirements. Explanations for each option are available in the associated UI help.

    • Minimum password length (default 8)

    • Maximum password age (default 365 days)

      Users must have the “Enable users to change their passwords” policy (on the same UI page) set to Yes to reset their password (policy is set to Yes by default).

      If you have multifactor authentication enabled, users are prompted to create new passwords after they have fulfilled the multifactor authentication method.

      Enter 0 (zero) if you do not want to specify a password expiration period.

    • Password history (default 3)

      Enter 0 (zero) to let user use the same password.

    • Require at least one digit (default Yes)

    • Require at least one upper case and one lower case letter (default Yes)

    • Require at least one symbol (default No)

    • Show password complexity requirements when entering a new password (default No)

      The password complexity explanation/text string shown to CyberArk Cloud Directory users is automatically discovered. For Active Directory, LDAP, and Google directory users, you must manually enter the explanation/text string in the associated text box.

  6. Click Save.

Configure user password change options

Enable your users to change their passwords for their directory service account used to log in to CyberArk Identity. If the users log in to a Windows or Mac machine enrolled through the appropriate cloud agent using the same user account, changing the password also changes the log in to the machine.

This user password change option is independent of those available in User Security Policies > Self Service > Password Reset. Self-service password reset (SSPR) allows users to change their password only when they have forgotten it; this topic describes how to enable them to change it at any time.

To configure user password change options

  1. Log in to the Admin Portal.
  2. Click Core Services > Policies.
  3. Select the relevant policy set or create a new one.
  4. Click User Security Policies > User Account Settings.
  5. Select Yes in the Enable user to change their passwords drop-down list.

    If this policy is set to No and you use the Maximum password age policy to set an expiration date for the password, users will not be able to reset their password. Instead, an administrator will have to reset the password for them.

    This policy only affects the display of the Change Password option on the user portal Account page and the Mac Cloud Agent menu (accessible from the menu bar on a Mac).

    Separately, you can set a policy that enables users to reset their password from the user portal login prompt (for example, if they forget their password). See Configure password reset self-service options.

  6. (Optional) Select from the Authentication Profile drop-down list to specify the authentication mechanism users must provide to change their password.

    See Creating authentication profiles for authentication profile information.

  7. Click Save.

    Your users can now change their passwords in accordance with the policy settings configured here. Direct your users to Change your password for more information about how they can change their passwords.

Lock user accounts after failed login attempts

Use the Capture Settings area of the Password Settings page in a policy to lock user accounts after a given number of failed login attempts. At your discretion, failed login attempts can include failed MFA inputs.

To lock user accounts after failed login attempts

  1. Log in to the Admin Portal.
  2. Click Core Services > Policies.
  3. Select the relevant policy set or create a new one.
  4. Click User Security Policies > Password Settings.
  5. Select a number for Maximum consecutive failed login attempts allowed within window.

    The default value 100.

  6. Select a radio button to determine whether to count only failed password entries, or all failed authentication mechanisms.

    Option Description
    Only count failed password attempts Only a user's failed password entries count against the set maximum failed login attempts.
    Count all failed login attempts Any failed authentication mechanism input counts against the set maximum failed login attempts. For example, a failed security question answer, OTP code, etc.
  7. Set the capture window for consecutive failed login attempts.

    The default value is 30 minutes.

  8. Set the lockout duration.

    The default value is 10 minutes.

  9. Click Save.