Jump to content

Password reset policy - make it work better with Active Directory

Joakim K

Recommended Posts

The password reset portal password policy does not have any way of making "require password complexity" work as intended. 


The options are:

Minimum LowerCase Characters *    :      

Minimum UpperCase Characters *    :    

Minimum Numeric Characters *    :    

Minimum Symbol Characters *    :      

Preferred Password Length*    :      

Requires Upper And Lower Case*   :  Yes    No

Failed Reset Message*


AD on the other hand, only supports setting complexity true or false. If it is true, you need 3 out of 4 character types (UPPERCASE,lowercase,numbers, special characters).

My suggestion is that you either change the  "Requires Upper And Lower Case * "-option to "Active directory policy requires password complexity", or adding that option as a new option. 

(It would also be super neat if you could implement a feature of prompting the user that the failed password reset is because of it existing in the haveibeenpwned database, right now it is giving the same error as you are submitting in this policy)


Link to comment
Share on other sites

Hi Joakim,


The Policies in our Password Reset Portal are designed so you can set a minimum requirement, and if the user fails to meet the requirements it will give them a detailed explanation of what requirement they haven't met, ie "Still required: 1 capital letter" or "Still required: 3 more letters".  (I'm adlibbing here, but this is approximately what the error says).  You cannot click Save until you have met the requirements.


If the user passes that first "Passwordstate Policy" it will also fall back to Active Directory and check the complexity requirement for the user in AD.  The user may have a more strict password policy in AD which they'll also have to meet to reset their password.  If they fail this AD requirement then it will error saying "Did not meet Password Complexity Requirements", in which case they'll have to try again.


Also, with the haveibeenpwned check, we deliberately omitted using this terminology in our error message, because the portal is designed for day to day users who aren't IT savvy as such, and most non IT people wouldn't know what haveibeenpwned is.  We thought it would be confusing so left it at a very general message which is "Password Not Allowed.  Please try again"




Link to comment
Share on other sites

Yes, but personally I think it would be better if the passwordstate policy could be more "AD-friendly", and an option could be just "require AD complexity", checking for 3 out of 4 character types being used. To get around this, we have enforced uppercase, lowercase and numbers, but that is annoying some of the users that are used to being able to use special characters instead. Is the haveibeenpwnd error message working even if you set a custom Failed Reset Message? If so I was mistaken, sorry!

Link to comment
Share on other sites

Hi Joakim,


We do adhere to any password policies applied to a user's account, assuming they pass the Password Policy settings set within Passwordstate first. But it sounds like you want our Password Policies to somehow mimic what AD also does.


Click Studios

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...