Restricting the use of certain characters in passwords

On UNIX, users must enter two backslashes (\\) in front of any dollar signs ($) in their passwords. For example, if a user's password is testBMC$12, the user must enter it as follows: testBMC\\$12.

To avoid login problems, restrict the use of $ in passwords.

Setting up password restrictions

  1. From the Remedy AR System Administration Console, select System > General > Password Management Configuration.
    The User Password Management Configuration form appears.
    PasswordManagementConfiguration.png
  2. To disable the default HIPAA character restrictions, select the Disable Default Character Restrictions check box.
    • This check box disables the default HIPAA character restrictions regarding non-alphanumeric characters and case-sensitivity. If the check box is selected, users can enter any characters in the Password field, except for characters that are restricted according to what you enter in the Restrictions Qualifier field.
    • Length restrictions are still enforced, but you change them in the Minimum Length field as described in the following step. 

  3. Complete the following fields in the Restrictions section.

    • Minimum Length—Sets the minimum length the user must enter when changing a password. You can enter a length of 1 through 30; the default is 8.

    • Restrictions Qualifier—Specifies restrictions in addition to the default HIPAA restrictions.

      Example
      ((?=.*\\d)(?=.*[~!@#$%^&*_-])(?=\\S+$).{8,30})

      The expression in the restriction qualifier is defined as follows:

      • (?=.*\\d) the password string should contain at least one digit.
      • (?=.*[~!@#$%^&*_-]) the password string should contain at least one special character from the set of SPECIAL_CHAR_SET.
      • (?=\\S+$) the password should not contain any space, tab, new line, or carriage return characters.
      • {8,30} the password string length has to be between 8 and 30 length range.

    If the default HIPAA restrictions are enabled, you can add more restrictive qualifications, but your restrictions cannot contradict the default restrictions. If you want less restrictive rules, disable the default HIPAA restrictions. In summary, you can enforce restrictions in any of the following ways:

    • Use the default restrictions—Do not enter a qualification in the Restrictions Qualifier field. 
    • Use the default restrictions, but refine them further—Simply enter a qualification in the Restrictions Qualifier field. 
    • Replace the default restrictions with your own custom restrictions—Select the Disable Default Character Restrictions check box and enter a qualification in the Restrictions Qualifier field. 
    • Remove the default restrictions, and allow users to enter any combination of characters—Select the Disable Default Character Restrictions check box and do not enter a qualification in the Restrictions Qualifier field. 
    • Failure Message—Specifies the message if a password is entered that does not qualify against the restrictions set.
  4. Click Save.

Restriction qualifications scenarios

If the Disable Default Character Restrictions check box is not selected, the qualifier entered in the Restrictions Qualifier field is appended to the current default restriction. However, you cannot change the qualifier already defined in the default qualifier, which enforces that the password must include at least one lowercase, one uppercase letter, and a special character.

Scenario 1

To add a restriction requiring users to include a numeric character in their password, enter the following qualification in the Restriction Qualifier field:

'New Password' LIKE "%[0-9]%"

This qualifier is appended to the default qualifier. With this restriction, aA1# is acceptable passwords if the minimum length for password is 4.

Scenario 2

The following qualification would not work because you cannot invalidate the default qualifier, which requires a letter in the password.

('New Password' LIKE "%[^A-Z]%") AND ('New Password' LIKE "%[^a-z]%"

If the Disable Default Character Restrictions check box is selected, the default qualifier is ignored. The qualifier entered in the Restrictions Qualifier field is the only qualifier used.

Scenario 3

To force users to include numeric characters in their password, enter the following qualification in the Restrictions Qualifier field:

'New Password' LIKE "%[0-9]%"

With this restriction, 1111 is an acceptable password if the minimum length is 4. A password without any numbers, like aaaa, would cause an error.

Scenario 4

To force users to include special characters in their password, enter the following qualification in the Restrictions Qualifier field:

'New Password' LIKE "%[\`\~\!\@\#\$\%\^\&\*\(\)\-\_\=\+\{\}\[\]\\\|\;\:\'\"\,\<\.\>\/\?]%"

With this restriction, a password such as r3m%dst4 would be accepted, but a password such as 7aord7y5 would not be accepted. The backslash (\) is the escape character which stops the query when any character is found to be true. Modify this qualification if you want users to exclude any special characters rom the password. 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*