Your suggested change has been received. Thank you.

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
- User journey orchestration - Access component
- User journey orchestration - Tulip component
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

Credential store

Password policies

IDAAS core
Getting started with the OneWelcome Identity Platform
Events
IDAAS core - Access
- Securing resources
- Client authentication methods
- Client application configuration
  - Scope configuration
  - Identity providers
  - Resource gateway configuration
  - Scopes API
  - Scope Verification Service
  - Identity provider API
  - Protected data in single-page apps
- OAuth 2.0 and OpenID Connect
  - OpenID Connect
  - OpenID Connect authentication
  - OpenID Connect scopes and claims
  - User claims and attributes
  - OpenID provider configuration
  - ID token encryption
  - Web clients
    - Resource owner password credentials
    - Uniquely identify guests
    - Migration of web clients with hashed secrets
    - Web clients API
  - Tokens
    - Access tokens
    - ID tokens
    - Refresh tokens
    - Access token API
    - Token introspection API
  - iFrame session monitoring
    - Relying party iFrame
    - End session API
    - Session management APIs
  - Relying party examples
  - OAuth endpoints
  - OAuth configuration
  - Discovery API
  - JSON Web Key Set API
  - User information API
  - OAuth consent API
- Custom authenticators
- General system properties
  - Configure system features
  - Session configuration
  - CORS support
  - Extension engine properties
  - SAML service provider configuration
  - API clients API
  - Responsible disclosure policy
- Access events
  - Audit events
  - Audit log
  - Events API
  - Security events
- Web hooks
  - Web hooks configuration API
- User session API
IDAAS core - Tulip
- Tenants and brands
- Identity store and data model
  - SCIM API
  - SCIM schemas
  - SCIM user management
  - SCIM user attributes
  - SCIM API versions
- Credential store
  - Email address management
  - Password management
  - Password policies
- OAuth 2.0 and OpenID Connect
  - OAuth 2.0 and OpenID Connect setup
  - Device flow
  - OAuth client authentication methods
  - Proof Key for Code Exchange
  - Step-up authentication
  - OAuth 2.0 and OpenID Connect API
  - Dynamic client registration API
  - OAuth OIDC error handling
- Account lockout
- Session management
- Event store
- API rules
- Reports
- Email overview
Authentication
- Authentication FAQ
- Password migration

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
IDAAS core - Tulip
Credential store
Password policies

Password policies

Password policies define the password requirements for your users. A password policy is a set of rules that encourage users to create strong passwords and use them properly. A password policy is often part of an organization's official regulations and might be taught as part of security awareness training. The password policy can either be advisory or mandated by technical means.

The OneWelcome Identity Platform supports password policies that are considered commonly-accepted best practices. When commonly-accepted password policies are not considered sufficiently secure, you can use two-factor authentication (2FA) to enhance security.

Changing the password policy does not trigger a password migration process. Instead, the new password policy applies whenever a user sets a new password.

Password complexity

The OneWelcome Identity Platform applies industry standard password rules that are considered best practices by commonly-used identity stores. It rejects passwords that include the username or that are the same as the formattedName.

It is a best practice to not allow spaces in passwords, although the OneWelcome Identity Platform supports passwords that contain spaces.

Password history

The password history policy determines the number of unique new passwords that a user account must have before an old password can be reused. For every user, the OneWelcome Identity Platform keeps a password history that any new password is checked against. For security purposes, passwords are stored in a hashed format.

Password reuse is an important concern in any organization, because many users want to reuse the same password for their account over a long period. The longer the same password is used for a user account, the greater the risk that an attacker can determine the password through brute force attacks. If users are required to change their password, but can reuse old passwords, the effectiveness of a good password policy is greatly reduced.

Configure the password policy

Log in to your OneWelcome Identity Platform and select your tenant, if required.
In the top-right of your browser, in the Applications menu, select Configuration.
On the OneWelcome Identity Platform console, select Core > Password policy.
Enter the Password rules:
- Minimum character length: Specify the minimum password length. NIST Digital Identity Guidelines recommend a minimum length of at least eight characters.
- Required minimum categories: Specify the minimum number of character categories that a password must include.
Enter the Required minimum characters. For each category, specify the minimum number of characters that a password must include.
- Lowercase
- Uppercase
- Special
- Digits
It is a best practice to not allow spaces in passwords.
Enter any Forbidden characters that passwords are not allowed to include:
- Leading
- Trailing
Enter the Expiration:
- Days of password validity:
- Ask users to change password (in days):
Enter the Password history:
- Enabled: Select Yes or No.
- Days of maximum history: The default password history maximum is 100 days. After the maximum number of passwords are stored, the OneWelcome Identity Platform purges the oldest passwords.
- Hashing algorithm: The OneWelcome Identity Platform supports the following hashing algorithms:
  - 3DES
  - AES
  - BASE64
  - BLOWFISH
  - CLEAR
  - CRYPT
  - MD5
  - PBKDF2
  - RC4
  - SHA
  - SMD5
  - SSHA
  - SSHA256
  - SSHA384
  - SSHA512
  - RSSHA1
  - RSMD5
- Prohibited password history: Specifies the number of passwords that users cannot reuse. The default is 10.
- Prohibited reuse duration (in days): Users cannot reuse any password that was set during this period (in days). The password history period is set to 365 days (one year) by default.
Select Save.

On this page

Password complexity
Password history
Configure the password policy

OneWelcome Identity Platform

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project

Copy Link

Copy Link

Copy Link