by Shikha Agarwal

Password Policies

Oracle offers a comprehensive method to configure password policies for each user category within the system. In this blog, we explore the various options available for setting up these policies.

01.JPG

Navigate to Tools >> Security or open the task Manage Applications Security Preferences task from Setup and Maintenance >> Search tasks option.

02.JPG

03.JPG

Click the User Categories tab, then select the name of the category to open it:

04.JPG

On the Password Policy subtab, click Edit to modify the policy. You can update the password policy for any user category at any time.

05.JPG

Password Policy Options:

Days Before Password Expiration: Specifies the number of days a password is valid. Afterwards, users must reset their passwords via the Forgot Password process.

Default: 90

Days Before Password Expiry Warning: Specifies when users are notified of impending password expiration. This value must be equal to or less than the “Days Before Password Expiration” setting.

Default: 10

Hours Before Password Reset Token Expiration: When users request a password reset, they receive a password-reset link. This setting determines the duration for which the reset-password link remains valid. If the link expires before the password is reset, users must request another reset. You can set a value between 1 and 9999 for this option.

Default: 4

Password Complexity: Specifies the complexity level required for passwords: simple, complex, very complex or custom. Password validation rules identify passwords that do not meet the selected complexity criteria.

The following password complexity types are available:

  • Simple: Must contain at least 8 characters, 1 number. This is the default complexity type.
  • Complex: Must contain at least 8 characters, 1 uppercase, 1 number.
  • Very Complex: Must contain at least 8 characters, 1 uppercase, 1 number, 1 special character.
  • Custom: Provides the flexibility to specify a combination of parameters to define a custom password. By default, the parameters are populated with predefined set of values to get you started.

06.JPG

Default: Simple

Disallow last password: Check this option to enforce that the new password is different from the previous one.

If a user initiates a password reset by navigating to Settings and Actions >> Set Preferences >> Password, this setting determines whether the previous password can be reused. However, when a user’s password expires, they are allowed to reuse their previous password. This setting does not impact password reuse after expiration.

Note that this setting does not apply the first time a password is reset if a user is moved from a user category that did not have the “Disallow last password” option enabled.

Default: No

Administrator can manually reset password: Passwords can be either generated automatically or reset manually by the IT Security Manager. Enable this option to allow passwords to be reset manually by users. Regardless of how passwords are reset (manually or automatically generated), they must comply with the current complexity rules.

Default: Yes

Note: Users receive notifications about password events only when the relevant notification templates are enabled for their user categories. The predefined notification templates for these events include Password Expiry Warning Template, Password Expiration Template, and Password Reset Template. We will discuss this further in an upcoming blog.

References:

** Oracle Document URL is subject to change with every upgrade.