Restricting the use of certain characters in passwords
To avoid login problems, restrict the use of $ in passwords.
Setting up password restrictions
- From the AR System Administration Console, select System > General > Password Management Configuration.
The User Password Management Configuration form appears.
- To disable the default HIPAA character restrictions, select the Disable Default Character Restrictions check box.
- This check box disables the default HIPAA character restrictions regarding non-alphanumeric characters and case sensitivity. If the check box is selected, users can enter any characters in the Password field, except for characters that are restricted according to what you enter in the Restrictions Qualifier field.
- Length restrictions are still enforced, but you change them in the Minimum Length field as described in the following step.
Complete the following fields in the Restrictions section.
- Minimum Length—Sets the minimum length the user must enter when changing a password. You can enter a length of 1 through 30; the default is 8.
Restrictions Qualifier—Specifies restrictions in addition to the default HIPAA restrictions. For example, to force users to include a numeric character in their password, enter:
'New Password' LIKE "%[0-9]%"
If the default HIPAA restrictions are enabled, you can add more restrictive qualifications, but your restrictions cannot contradict the default restrictions. If you want less restrictive rules, disable the default HIPAA restrictions.
In summary, you can enforce restrictions in one of the following ways:- Use the default restrictions—Do not enter a qualification in the Restrictions Qualifier field.
- Use the default restrictions, but refine them further—Simply enter a qualification in the Restrictions Qualifier field.
- Replace the default restrictions with your own custom restrictions—Select the Disable Default Character Restrictions check box and enter a qualification in the Restrictions Qualifier field.
- Remove the default restrictions and allow users to enter any combination of characters—Select the Disable Default Character Restrictions check box and do not enter a qualification in the Restrictions Qualifier field.
- Failure Message—Specifies the message if a password is entered that does not qualify against the restrictions set. You can add your own custom message in this field.
- Click Save.
Restriction qualifications scenarios
If the Disable Default Character Restrictions check box is not selected, the qualifier entered in the Restrictions Qualifier field is appended to the current default restriction. However, you cannot change the qualifier already defined in the default qualifier, which enforces that the password must include at least one lowercase, one uppercase letter, and a special character.
When entering the regex patterns for the qualifier:
- use double quotes twice to treat a single, double quote as a literal character.
- use a close square bracket "]" character outside the already range character sequence. Do not use a close square bracket "]" character already inside "[" and "]".
Scenario 1
To add a restriction requiring users to include a numeric character in their password, enter the following qualification in the Restriction Qualifier field:
This qualifier is appended to the default qualifier. With this restriction, aA1# is an acceptable password if the minimum length for the password is 4.
Scenario 2
The following qualification would not work because you cannot invalidate the default qualifier, which requires a letter in the password.
The default qualifier is ignored if the Disable Default Character Restrictions check box is selected. The qualifier entered in the Restrictions Qualifier field is the only qualifier used.
Scenario 3
To force users to include numeric characters in their password, enter the following qualification in the Restrictions Qualifier field:
With this restriction, 1111 is an acceptable password if the minimum length is 4. A password without any numbers, like aaaa, would cause an error.
Scenario 4
To force users to include special characters in their password, enter the following qualification in the Restrictions Qualifier field:
With this restriction, a password such as r3m%dst4 would be accepted, but a password such as 7aord7y5 would not be accepted. The backslash (\) is the escape character that stops the query when any character is found to be true. Modify this qualification if you want users to exclude any special characters from the password.
Troubleshooting
Some of the common errors that you might encounter when setting up password restrictions are documented as follows:
Scenario 1
The Disable Default Character Restrictions check box is not selected, and you add the following qualification in the Restriction Qualifier field:
AND (('New Password' LIKE "%[\`\~\!\@\#\$\%\^\&\*\(\)\-\_\=""\+\\{\}\[\\\|\;\:\'\,\<\.\>\/\?]%")
OR ('New Password' LIKE "%]%"))
If you enter the password as ARRRR, the following error is displayed : Password cannot be empty or same as User Name, it should be from 8 to 30 characters in length. (ARERR 49000).
Scenario 2
The Disable Default Character Restrictions check box is not selected, and you add the following qualification in the Restriction Qualifier field:
If you enter the password as ARRRR1QW, the following error is displayed: Please include an upper case, a lower case and a special character in the password. (ARERR 49001).
Scenario 3
The Disable Default Character Restrictions check box is selected, and you add the following qualification in the Restriction Qualifier field:
AND ('New Password' LIKE "%[A-Z]%")
AND (('New Password' LIKE "%[\`\~\!\@\#\$\%\^\&\*\(\)\-\_\=""\+\\{\}\[\\\|\;\:\'\,\<\.\>\/\?]%")
OR ('New Password' LIKE "%]%"))
You can specify a custom failure message if the qualification is not met. Example: Policy not adhered. (ARERR 10000).
With this restriction, if you enter the password as ARRRRWWE, the following error is displayed: Policy not adhered. (ARERR 10000).