Enforcing a password policy introduction
BMC Remedy AR System ensures that passwords are always encrypted. An SHA-256 hash of passwords is stored in the database, ensuring that the system (and so the reader of the database) cannot retrieve passwords. In addition, you can enforce a password policy with the User Password Management Configuration form.
User Password Management Configuration form
(Click the image to expand it.)
The password management feature is preconfigured when you install BMC Remedy Encryption Security, but it is not enabled. This section describes how to enable and use the feature.
With a password policy, you can:
- Force all users or individual users to change their passwords when they use a browser
- Enforce restrictions on passwords [Health Insurance Portability and Accountability Act (HIPAA) standards are shipped as the default restrictions.]
- Set up password expiration with scheduled warnings
- Disable an account after the expiration period
- Enable users to change their passwords at will
If your system uses external authentication (through the Cross Ref Blank Password option), be careful if you enforce password policy with the User Password Management Configuration form. The policy should be enforced only for users whose passwords are stored in the Encryption Security User form. If you enable the policy and have users who are externally authenticated, disable the policy for the externally authenticated users as described in Disabling password management for individual users. For information about the Cross-Reference Blank Password feature used with external authentication, see Cross-referencing blank passwords.