PeopleSoft Password Controls

If you are using internal PeopleSoft authentication (not 3rd party LDAP), then PeopleSoft provides some useful password controls to improve the security of your system.

These can be found under:

PeopleTools > Security > Password Configuration > Password Controls

Behind the scenes this information is stored in the table PSSECOPTIONS. Password controls are enabled by Signon PeopleCode. This PeopleCode (as delivered) exists in Record PeopleCode on FUNCLIB_PWDCNTL.PWDCNTL.FieldChange within the function Password_Controls. So if you wanted to, you could modify this Signon PeopleCode to perform extra security checks.

password-controls.png

Some of the more useful things you might consider setting here are:

  • Set a password expiry e.g. 180 days and warn for at least a week.
  • Maximum logon attempts (e.g. 5)
  • Don't allow the password to match the user ID.
  • Minimum password length (at least 8 characters)
  • Have at least one digit in the password

Remember password security is one of those comprimises between covenience and security. You could also set the number of passwords to retain to stop people reusing their old passwords. If there's ever a breach in security, then this might be a good feature to enable.

How does PeopleSoft check for the scenarios you've set? There are three places that have code to do this:

  • Password_Controls function in FUNCLIB_PWDCNTL.PWDCNTL.FieldChange (Signon PeopleCode)
  • Validate_Password function in FUNCLIB_PTSEC.OPERPSWD.FieldFormula (called when modifying users)
  • Password_History function in FUNCLIB_PTSEC.OPRID.FieldFormula (called when modifying users and password history checking is enabled in the password control).

Password_Controls peforms the following validation:

  • Incrementing failed login attempts in PSOPRDEFN.FAILEDLOGINS when a user enters an invalid password.
  • Checking the maximum logon attempts by using the failed logins stored in the operator definition table (PSOPRDEFN.FAILEDLOGINS). Note that if the failed logins reaches the maximum amount set, it will lock the account.
  • Checking password expiry which is the difference in days between the system date and the last password change made by the operator (PSOPRDEFN.LASTPWDCHANGE).

Validate_Password performs the following validation:

  • Not allowing the operator ID to match the password is a compare between the operator ID and operator password fields in the operator definition table (PSOPRDEFN.OPRID <> PSOPRDEFN.OPERPSWD).
  • Checking the length of the operator's password against the minimum password length settings.
  • Checking that the password contains at least the required number of digits or special characters. PeopleSoft special characters consist of the following: !@#$%^&*()-_=+\|[]{};:/?.<>,` as well as a blank space.
  • Checking that if the password has expired, the user does not enter the same password - they need to change their password.

Password_History peforms the following validation:

  • If password history checking is enabled in the password control settings, it goes through the record, PSPSWDHISTORY, going back the relevant number of password changes and compares the encrypted password in the password history table against the encrypted password being entered by the user. If they match then it gives the appropriate error.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License