Password policy
Configure a password policy in PingOne Advanced Identity Cloud when you want a customized rule for creating valid sign-in passwords. The password policy applies to end users who sign in to your registered apps within a realm.
| You can configure only one password policy per realm. | 
By default, Advanced Identity Cloud password policy is set to the minimum security requirements established by the National Institute of Standards and Technology (NIST). Any changes you make to the password policy must conform to requirements contained in their guidelines. Learn more in NIST Digital Identity Guidelines.
Configure a password policy
- 
In the Advanced Identity Cloud admin console, go to Security > Password Policy. 
- 
Choose the realm the password policy will apply to. 
- 
Edit password policy details. Password length When enabled, the policy requires a password with the specified minimum number of characters. No maximum. Cannot include Options to restrict the use of any of the following in the policy: - 
More than two consecutive characters (Example: aaaaaa) 
- 
Commonly used passwords (Examples: qwerty or 12345678) 
- 
Values in certain user attributes: - 
In the Forbidden Realm realm - User attributes list, select user attributes to validate passwords against. 
- 
In the Minimum n characters for each attribute field, enter a substring length between 3 - 64 to use when validating passwords against user attribute values. The default is 5 characters. 
 
- 
 Must contain When enabled, the policy requires the use of a specified 1 - 4 of the following: - 
Upper case letter 
- 
Lower case letter 
- 
Number 
- 
Space, pipe, or special character: 
 ( ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { } ~ ) .
 Cannot reuse When enabled, the policy restricts the end user from reusing the specified number of previously set passwords. Force password change When enabled, the policy forcibly expires each end-user password after the specified number of days, months, or years have elapsed from when the password was set. 
 
 To handle expired passwords in an end-user journey, use theExpiredoutcome in the Identity Store Decision node.Refer to the considerations in Force end-user password changes before using this policy setting. 
- 
- 
Click Save. 
Force end-user password changes
You can combine a password policy and the Identity Store Decision node to expire end-user passwords in a journey; the Force password change policy setting lets you define an expiry time interval, which is measured for each end user from when their password was last set.
If you are introducing such a policy for the first time, you may want to process your end users in batches in order to improve messaging about the changes. The following sections describe two high-level strategies to achieve this.
| If you are considering forcing your end users to change their passwords, review the NIST Digital Identity Guidelines. In particular, NIST no longer recommends scheduled password changes; learn more in Usability Considerations by Authenticator Type. The NIST guidelines are continually refined, so you should keep them in mind when setting password policy. | 
Strategy 1: Target segments of end users
Adapt the end-user login journey to use dynamic groups or user properties to target a segment of end users to reset their password.
Advantage: You can segment users any way you like. For example, you may have a set of end users who could struggle with a password reset. You could add a property to each end user in the set and initially exclude end users with that property from a password reset. Then, at a later time, remove the exclusion when support is available for those end users.
Disadvantage: Creating new dynamic groups with large numbers of end users can incur a significant performance cost.
Strategy 2: Target oldest passwords first
Adapt the end-user login journey to target all end users to reset their password, but initially set a very long expiry time interval to target the oldest passwords first. Then periodically reduce the expiry time interval to eventually target all passwords.
Advantage: This strategy segments end users by the date of their last password reset. Additionally, end users with the oldest passwords are targeted first.
Password timestamps
Password timestamps let you view or query when a user password was last changed and when it is set to expire.
If you have this feature enabled, the following timestamp fields and properties are available:
| Field name on the user page | Property name in the managed object configuration | 
|---|---|
| Password Last Changed Time | 
 | 
| Password Expiration Time | 
 | 
To enable or check the status of the feature, learn more in Feature enablement.
passwordLastChangedTimecurl \ --header "Authorization: Bearer <access-token>" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "https://<tenant-env-fqdn>/openidm/managed/realm-name_user?_queryFilter=passwordLastChangedTime%20ge%20%222024-01-01T21:22:06.274Z%22&_fields=_id" { "result": [ { "_id": "453a73a9-3f50-4b04-8115-f3915fd1dd89", "_rev": "fa876a46-82e6-4a11-a3f4-6b4919815ea4-5851" } ], ... }
passwordExpirationTime is an unindexed virtual property that can’t be queried. To achieve the same outcome, query on passwordLastChangedTime while taking the expiration period into account.