Back to Home PageView SDKs on GithubView APIs in ReadmeSystem Status
Search…
Vienna
Strivacity: Vienna Release
SUPPORT INFORMATION
Raising a support ticket
Security vulnerability response
Reporting a security issue
Our service level commitment
Getting Started
Overview
Product components
Pre-configured best practices
Resources for compliance
Using the Dashboard
Overview
APIs
Using the REST APIs
ReadMe API directory
Setup and Manage
Adaptive multi-factor authentication
Identity verification
API security policy
Claim Dialects
Consent management
Enterprise login
Identity stores
Password polices
Creating a Password Policy
Editing a Password Policy
Deleting a Password Policy
Integrate your applications
Lifecycle event hooks
Notification policies
Self-service
Rebranding and Customization
Using your own brand, logos, and color schemes
Using multiple custom domain names
Customizing email templates
Customizing SMS templates
Rebranding the Admin Console
Localization
Managing Accounts and Groups
Accounts
Groups
Configuration
Admin roles
Admin adaptive MFA
Admin branding
Admin notifications
Admin accounts
General
Logging
REST API access policies
Integrations
Web analytics
CRM, CDP, and marketing
External identity providers
Passwordless
Identity proofing
Productivity
Security
Social login
DEVELOPER SDK
Mobile SDK overview
Android mobile SDK
iOS mobile SDK
Architecture and Deployment
Infrastructure security
Rate limiting
Brute-force protections
Regional availability
Powered By GitBook
Password polices
Password Policies provide a way to enforce password characteristics and mitigate password risk for all accounts in an identity store. Learn more about how to setup and manage these policies.

Password Policies provide a way to enforce password characteristics and mitigate password risk for all accounts in an identity store.
The Strivacity password policies and the settings provided also follow the 2019 NIST 800-63 Password Guidelines wherever possible and provides password strength, password guessing avoidance, as well as protection against common password based attacks using breached/stolen credentials such as password stuffing and password spraying.
A password is subject to the following allowed/disallowed character rules:
  • Can contain up to 64 characters in length and any uppercase or lowercase Latin or Unicode characters from A to Z
  • Can contain any digits 0 to 9
  • Can contain any of these ASCII characters: # $ % & ' ( ) - . @ ^ _ ` { } ~
The functionality provided by Strivacity Fusion's password policies can be broken down into four areas of functionality:

The scope of a password policy applies to an Identity Store. While you can re-use a password policy, an Identity Store can only have a single password policy.

We’ve implemented breached password detection to every part of the self-service experience and the admin console where your customers or administrators have to set or reset passwords:
  • self-service registration
  • self-service password reset
  • self-service password reset by email
  • account password reset by customer service or administrators
Breached password detected
Breached password detection prevents customers from using passwords that previously appeared in data breaches. Enable this feature in a password policy and assign it to any identity store.
Breached password protection feature
Once enabled, Strivacity will automatically screen user-provided passwords against a database of leaked passwords.
We primarily use the open-source package of breached passwords made available by Have I Been Pwned (HIBP). HIBP hashes original values to hide personally identifiable information (PII).
We don't store the HIBP passwords in human-readable form. Only your customers will know by trial and error if their password has been leaked when using the Strivacity password breach detection service.
When breached passwords are detected
Encourage your customers to get familiar with good password practices and to screen their passwords for the rest of their accounts e.g. at HIBP's pwned password service.

Here's what you can do to enhance account security for your brand and raise awareness about password best practices based on the National Institute of Standards and Technology (NIST) guidelines:
Prioritize length over complexity: Increasing the length of a password adds more to security than squeezing in a few upper case letters and symbols into the shortest possible character string.
Don't give malicious attackers a head start: Refrain from using ordinary words and avoid the use of sequential strings of numbers or letters in passwords.
Rule out regular password resets: Regular password reset is ineffective.
We tend to add only the slightest changes when faced with the task of modifying our passwords, virtually re-creating the same password over and over again. This could pose huge security threats to our accounts if our password is commonly-used or has been compromised in the past. It’s better to create an uncrackable password in the first place—that would preferably take millions of years to hack.
Encourage the use of password managers: Password managers can stop us from using the same password across multiple platforms. These services store our various sign-in credentials encrypted for the dozens of accounts we use, sparing us quite a few headaches. Most services can also generate secure passwords in no time.
There are plenty of password manager services available, from convenient in-browser tools to cross-browser commercial applications. Customers only have to find out which one works best for them.
We support password suggestions coming from password manager services in Strivacity Fusion.

Compared to breached password detection, commonly used password requirements are less effective in reaching the ideal security level. This approach drives your customers to check off required characters without any consideration for good password practices and allows them to create predictable passwords like ‘Password123!’. Requiring a minimum password length is a good practice. Anything less than 8 characters is easily cracked. Other password complexity requirements can create a bad experience for customers and force them into bad password practices. We recommend a minimum password length plus enabling breached password protection for a good balance of security and usability.
Predictable passwords have probably been leaked at some time in the past. Nudge your customers to create safer passwords by implementing breached password detection for your identity stores. You can skip configuring password strength.
Setting
Default Value
Description
Minimum Length
8
Specify the minimum length (in characters) of the password. This cannot be less that 8 characters.
Must contain at least one lowercase character (a-z)
Off
If enabled the password must include one of these!
Must contain at least one uppercase character (A-Z)
Off
If enabled the password must include one of these!
Must contain at least one number (0-9)
Off
If enabled the password must include one of these!
Must contain at least one special character ($%&'()[email protected]^_`'{}~)
Off
If enabled the password must include one of these!

There's a good chance malicious actors will try to use your customer's personal information to take over their accounts. Attackers may pair user-identifying information or parts of them with compromised passwords or common character combinations to crack your customers' passwords faster.
Protect your customers from paving the way for cyber attackers and don't allow them to blend their personal information (username, first name, and last name) into their passwords.
You can switch on password guess avoidance for each personal data field separately.
When enabled, password guessing avoidance forbids the use of
  • the entire
    • username
    • first name
    • last name
    with any special character included
Example First name 'Joanna', last name 'Harris', or username 'actualadvicemallard92' in full are not allowed to be included in a customer's password.
Password guessing avoidance also looks at
  • the alphanumeric strings within
    • usernames
    • first names
    • last names
    separated by special characters ($%&'()[email protected]^_`'{}~) that are longer than three characters and forbids their use in a password.
Example Username 'actual.advicemallard_007' is separated by two special characters into three parts. Password guessing avoidance will not allow 'actual' and 'advicemallard' in a password since those are longer than three characters, but '007' is OK to add in the password.
Password guessing avoidance is case insensitive which means that changing the letter case will still not allow customers to include forbidden strings in passwords.

Documentation Coming Soon!
Previous
Date type
Next
Creating a Password Policy
Last modified 2mo ago
Export as PDF
Copy link
On this page
Overview
Password policy scope
Breached password analysis
Good password practices
Password strength
Password guessing avoidance
Password risk analysis