Password Policies provide a way to enforce password characteristics and mitigate password risk for all accounts in an identity store.
Fusion's password policies and the settings provided also follow the 2019 NIST 800-63 Password Guidelines wherever possible and provides password strength, password guessing avoidance, as well as protection against common password based attacks using breached/stolen credentials such as password stuffing and password spraying.
A password is subject to the following allowed/disallowed character rules:
Can contain up to 64 characters in length and any uppercase or lowercase Latin or Unicode characters from A to Z
Can contain any digits 0 to 9
Can contain any of these ASCII characters: # $ % & ' ( ) - . @ ^ _ ` { } ~
The functionality provided by Fusion's password policies can be broken down into three areas of functionality:
​Password Strength​
​Password Risk Analysis​
The scope of a password policy applies to an Identity Store. While you can re-use a password policy, an Identity Store can only have a single password policy.
Setting | Default Value | Description |
Minimum Length | 8 | Specify the minimum length (in characters) of the password. This cannot be less that 8 characters. |
Must contain at least one lowercase character (a-z) | Off | If enabled the password must include one of these! |
Must contain at least one uppercase character (A-Z) | Off | If enabled the password must include one of these! |
Must contain at least one number (0-9) | Off | If enabled the password must include one of these! |
Must contain at least one special character ($%&'()-.@^_`'{}~) | Off | If enabled the password must include one of these! |
Setting | Default Value | Description |
Must not contain the customers first name | On | If enabled, the user cannot use any part of their first name in the password |
Must not contain the customers last name | On | If enabled, the user cannot use any part of their last name in the password |
Must not contain any part of the username | On | If enabled, the user cannot use any part of their username in the password |
Documentation Coming Soon!