V 2. Password Controls

One of the most common methods for someone to gain access to confidential systems is to guess the user’s password or use a brute force script with commonly used passwords. It is a well-known issue in the IT security world that the end users tend to use the simplest of allowed passwords to make it easier for them to remember. As a security administrator, you have to be sensitive to the fact that the end user may have to remember several passwords, for each of the multiple applications they access through their business activities. However, the security administrator is also responsible for making the systems as secure as possible without hindering the valid end user’s ability to access the system.

To make it difficult for unauthorized users to guess a user’s password, industry standard security frameworks provide recommendations on the complexity, duration and cycling of passwords that the end users should be allowed to use for their accounts.

The PeopleSoft Password Controls page allows the security administrator to configure the complexity of the passwords used in PeopleSoft system.


PeopleTools >> Security >> Password Configuration >> Password Controls


Figure V‑2 System Security – Password Controls

1. Enabled: Select this check box to enable the sign-on PeopleCode for password expiration and account lock out features. None of the other password control features are controlled by this check box.

2. Password Expiration/Never Expire: The users are not forced to change their password periodically

3. Expires in (days): The users are forced to change their password periodically, as defined in the ‘Days’ box.

a. Without Warning: Select to automatically expire the user password if it has not been changed within the days specified without a warning notice. Users cannot access the application until they change their password.

b. Warn for (days): This warns the user, starting the number of days specified, before their password is about to expire. The user has the ability to reset the password when warned or defer it for a later time and continue to access the system until the actual expiration period is reached.

4. Account Lock/Failed Logons: The user’s account is automatically locked after the configured number of invalid login attempts. This prevents the unauthorized users to make unlimited guesses on user’s password or use brute force scripts to make login attempts on the system. When a number of invalid login attempts are made on a user account, it automatically gets locked and can only be unlocked by the security administrators who have access to the user profiles page. The counter is reset to ‘0’ every time a user makes a successful login BEFORE reaching the allowed number of invalid attempts.

5. Password May Match

a. User ID: Select to let the user choose a password that is same as their user id (not recommended).

b. Primary Email Address: Select to let the user choose a password that is same as their primary email address, defined in user profile settings (not recommended).

6. Requirements: Select the various conditions that the password entered by the user should at least meet for PeopleSoft to accept it.

a. Minimum Length: Password should be at least these many characters long.

b. Specials: Minimum number of special characters that the password should include.

c. Digits: Minimum of digits that the password should include.

d. Lower case: Minimum characters in lower case that the password should include.

e. Upper case: Minimum characters in upper case that the password should include.

7. Password History/Passwords to retain: This restricts the end user from using the same or recently used password again when resetting their passwords. The passwords to retain field defines the number of previously used passwords that cannot be re-used.

8. Purge User Profiles/Days of inactivity: The system automatically deletes the user profiles for those who have not logged into the system after the defined Days of inactivity have been met. This helps is maintaining the security tables with valid required accounts only.