Credential Management
Introduction
KOBIL IAM has a rich set of password policies, which you can enable through the Admin Console.
By default, each new realm created has no password policies associated with it. Users can have as short, as long, as complex, as insecure a password, as they want. Simple settings are fine for development or learning KOBIL IAM, but unacceptable in production environments.
In general, the more complex your password is, the more secure it is. KOBIL IAM supports strong passwords by using rules that require a certain level of password complexity. For example, your company might require your password to contain combinations of letters, numbers, uppercase, lowercase, special characters, etc. Your company's administrator sets these rules to have a secure password in order to avoid security breach.
How to Setup Policy:
Step 1: Navigate to Authentication in the menu.
Step 2: Under Password Policy.
Step 3: Click on Add Policy button.
Paramenters in Policies
On clicking the Add policy, the dropdown list containing the Policies can be selected as per the requirement.
| Parameter | Description |
|---|---|
| Expire Password | The number of days the password is valid can be set. |
| Hashing Iteration | Specifies the number of times the tenant hashes passwords before storage or verification. |
| Not Recently Used | Existing Password cannot be already used by the user. |
| Password Blacklist | Password must not be in a blacklist file. |
| Minimum Length | Specifies the minimum length of the password. |
| Regular Expression | Password must match one or more defined regular expression patterns. |
| Not Username | The password cannot be the same as the Username of the User. |
| Not Email | The password cannot be the same as the email address of the User. |
| Special Characters | The number of special characters required in the password. |
| Uppercase Characters | The number of upper case letters required in the password. |
| Lowercase Characters | The number of lower case letters required in the password. |
| Digits | The number of numerical digits required in the password. |
| Hashing Algorithm | Before storage or validation, the tenant hashes passwords using standard hashing algorithms. |
| Maximum Length | Specifies the maximum length of the password. |
Following are the parameters that can be configured in the selected Policy.
1. Can my administrator see my Credentials?
- Administrator cannot view the credentials as it is hashed.
2. Where and how are my Username and Password stored? Is my password secure?
- Username is securely stored under the User Entity Table.
- Password is Hashed based on the algorithm and iteration specified in the password policy*.
*Default: SHA-256 algorithm with 27500 iterations.
3. How can Admin enable Forgot Password?
- It is required to enable Forgot Password by the admin to reset the login credentials if the Users forget their password.
- Procedure to follow:
- Login to IDP console with Admin access.
- Navigate to Realm Settings in the menu.
- Click on Login tab.
- Toggle Forgot Password to ON. This allows the Forgot Password? link to be visible in the login page.
- This link allows the users to enter their Username or Email and receive a mail with a link to reset their credentials. (NOTE: This is a default behavior bounded to KOBIL IAM and can be customized based on the requirements, example: An e-mail-based OTP or a phone based OTP can be sent instead of the link.)