Setting up a password policy

The Password Policy in Management center allows you to control a user's password selection in order to define the characteristics of the password to ensure that it complies with the security policy for your site.

Note that you can keep the same user id and password. If you don't want to keep the user id as your password, then enable Do not allow.

A password policy defines attributes with which the password should comply:

Whether the user ID and password can match.
Maximum occurrence of consecutive characters.
Maximum instances of any character.
Maximum lifetime of the passwords.
Minimum number of alphabetic characters.
Minimum number of numeric characters.
Minimum length of password.
Number of previous passwords to check against when the user selects a new password.

Only Password policy cannot be created or deleted in CMC. While creating a Security policy, user have to define the Password and Account lockout policy.
You can change the characteristics of an existing password policy by selecting the policy in the list and clicking Change.
Alternatively, you can implement custom password policies by extending the validatePasswordCompliance method of the AuthenticationPolicyCmd interface.

Notes:

You cannot delete a password policy if it is in use (that is, a user is assigned to the password policy).
Password policies are enforced only if users are authenticated against the HCL Commerce database.

See Default authentication policies for additional information.

Procedure

Open Management Center Tools.
From Hamburger menu, click System Administration > Security Policies.
The new security policy will have it's own password policy.
Enter a name of the security policy and click Next. From the Define Password policy, create a password policy required for the security policy.

Update the following as required to modify any of the values from the default value for customers:

Option	Description
Can the userID and password match?	Defines whether the userID and password can be identical or not. Select either `Yes` or `No` from the list.
Maximum consecutive character types	Defines the maximum occurrence of consecutive characters in a password. The minimum value is 2 consecutive characters. For example, with a value of 2, a user cannot enter a password such as `aaabc`.
Maximum instances of any character.	Defines the maximum number of times the same character can appear in a password. The minimum value is 1 instance of a character. For example, with a value of 2, a user cannot enter a password such as `abcaabc`.
Maximum lifetime of the passwords.	Defines the maximum amount of time, in days, that a password can exist. The minimum value is 1 day. After this time period, a user is prompted to change their password.
Minimum number of alphabetic characters	Defines the minimum number of alphabetic characters that need to be in a password. The minimum value is 0 alphabetic characters.
Minimum number of numeric characters	Defines the minimum number of numeric characters that need to be in a password. The minimum value is 0 numeric characters.
Minimum length of password	Defines the smallest length of a password, in characters. The minimum value is 1 character.
Numbers of passwords that are kept in password history	Defines the number of previous passwords to check against when the user selects a new password. Note: By default, when you create a new password policy, a user's four previous passwords cannot be reused.

Click Next.
For an existing Security policy, the existing password policy can be updated by changing the values entered. Click Save, after updating the existing values and new password policy will be saved.