Default password policy

Learn more about Fusion's default password policy and how it can mitigate common risks to passwords.

Strivacity comes pre-configured with a default password policy that is aligned to the 2019 NIST 800-63 Password Guidelines.
The Default Password Policy is automatically assigned on a per-Identity Store basis and is automatically assigned to the Default Identity Store from the moment that you start using the product, i.e. there is nothing that you need to do to ensure some password best practices are enforced for your customer accounts.
Strivacity Fusion comes pre-configured with a default password policy that is aligned to the 2019 NIST 800-63 Password Guidelines.
Default password policy settings
The default password policy is automatically assigned on a per-Identity Store basis and is automatically assigned to the Default identity store from the moment you start using the Admin Console. 
Here's our out-of-the-box password policy configuration:
Setting
Default Value
Description
Breached password analysis
Enabled
Prevents customers from using passwords that previously appeared in known data breaches. 

Customers can continue only if they've provided a password that hasn't been part of a past dataleak.

You can read more about how breached password analysis works here.

Password Strenght
Disabled
This one is on purpose too. 

According to NIST's 2019 Password Guidelines, commonly used password complexity requirements are less effective in reaching the ideal security level, so they're switched off* in our default password policy.
Password Guessing Avoidance 
​
​
These settings reduce the attack vector of cyber attackers leveraging customer-identifying information.

You can find examples explaining password guessing avoidance in more detail here.
Must not contain First name
Enabled
Prevents customers from using the entire or partial character strings from their 'First name' that's added to their profile information.
Must not contain Last name
Enabled
Prevents customers from using the entire or partial character strings from their 'Last name' that's added to their profile information.
Must not contain any part of the Username
Enabled
If the identity store requires this identifier, the customer will be prevented from using the entire or partial character strings from their 'Username'.
*While the 2019 NIST 800-63 Password Guidelines do not recommend any password complexity requirements, please note that password policies do support password complexity and more advanced password options. You can view Password Policies for more information. 

Default identity store attributes

Default adaptive MFA policy

Last modified 4mo ago

Setting	Default Value	Description
Breached password analysis	Enabled	Prevents customers from using passwords that previously appeared in known data breaches. Customers can continue only if they've provided a password that hasn't been part of a past dataleak. You can read more about how breached password analysis works here.
Password Strenght	Disabled	This one is on purpose too. According to NIST's 2019 Password Guidelines, commonly used password complexity requirements are less effective in reaching the ideal security level, so they're switched off* in our default password policy.
Password Guessing Avoidance		These settings reduce the attack vector of cyber attackers leveraging customer-identifying information. You can find examples explaining password guessing avoidance in more detail here.
Must not contain First name	Enabled	Prevents customers from using the entire or partial character strings from their 'First name' that's added to their profile information.
Must not contain Last name	Enabled	Prevents customers from using the entire or partial character strings from their 'Last name' that's added to their profile information.
Must not contain any part of the Username	Enabled	If the identity store requires this identifier, the customer will be prevented from using the entire or partial character strings from their 'Username'.