ACS Password Management

dear all,
i would like to ask about system configuration/local password management option located on ACS application.
on this page i can specify the min max password length, alphanumeric password or not, and finaly if the password can contain the user name,
my question is, shall this options apply to administrator users only? or ACS VPN authenticated users and groups (end user) only? or both of them?
in addition, if the users are created before configuring the ACS local management policy, and users are already created with a criteria different then what a local password management identify, for example a user has a password not alphanumeric, and now i am going to configure the policy to force the password to be alphanumeric, what do happen for those users(users created before configuring the policy that do not match the new criteria configured)?
finally, is there a way to configure a password expiry date?

administrator password settings is located in administration control password policy.
in system administration there is no user authentication settings, but there is local password management only.
so this local password management might be for users who authenticate on acs as long as there is a separate password policy on administration control page.
i would like to ask modifying this policy, shall this will affect users passwords only? or group users passwords? or both?
as long as i can have a user password and a group password (to which the user is assigned) different from each others.
the last point is the password lifetime, on versions previous to acs 5.3, we can set password lifetime in group users/edit group setup. but what if i dont want to change group user password lifetime, but i want to change the user password lifetime? where can i set it?

Similar Messages

  • Fingerprin​t Reader access to KeePass (from a Thinkpad with Password Manager)

    The goal: secure, convenient, automated login to password-protected sites
    KeyPass is a great open-source program for secure creation, storage and use of login passwords and other information. With a plugin called KeeForm, it allows very convenient automatic login to password-protected sites by clicking on a KeePass entry. To preclude unintended access to all of your secure information, it is wise to close Keepass after each use, or set Keepass to lock when minimized. But this is less convenient, because a long secure master password then has to be entered before each use of Keepass.
    Using a fingerprint reader to enter Keepass can be a big time saver while retaining security. Capacitive swipe fingerprint readers can be very secure, provided they operate through equally secure software. They are available as USB units, or integrated into some keyboards and notebook computers, for example some Lenovo ThinkPads.
    Unfortunately, set-up can be a challenge and there may be disadvantages even after the best workable interface between KeePass and a particular biometric system. This example uses the integrated fingerprint reader and software on a Lenovo ThinkPad X61.
    The problem: getting secure fingerprint software to use KeePass
    ThinkPads can use Lenovo fingerprint software alone for start-up into Windows, but they need additional layers of software (Client Security Solution - CSS, and Password Manager  - PM) to work with other programs including KeePass. PM uses CSS security functions.
    Cautions about Lenovo CSS:
    1. Some organisations advise against CSS because of problems including clashes with antivirus programs. See and​tware_Under_Windows_Vista
    These bugs may have been fixed over time - but install at your own risk!
    2. CSS and PM introduce their own system overheads which may slow some operations.
    3. Once tried, CSS may not simply be inactivated while restoring basic fingerprint start-up into Windows. The X61 at least insists that CSS be reactivated for any fingerprint function. If you try a Windows system restore to a time before CSS was first activated, you may experience the ‘blue screen of death'. The security chip evidently regards your desire for a past configuration as a security breach. With luck you may ‘live again' if you can log into Windows in Safe Mode to undo the attempted system restore. After that, I reactivated CSS. I was not game to try uninstall after inactivation of CSS - but see the ncsu link above.
    Having decided to accept the ‘risks' of activating CSS and PM, you may want to try PM for all password management. For me it would not recognise some internet logins, could not complete auto-submission in others, and did not allow the manual adjustments that make KeePass so versatile. Unfortunately PM help is very limited. There is no current user manual (old manuals up to v1.4 available on the web do not match the properties of the current v3 of the software). KeePass (or the KeeForm plugin) also struggles with some sites, but it works much better overall. Help on KeeForm plugin syntax is limited, but otherwise KeePass help is great.
    So we really want the fingerprint reader (via PM) to work for KeePass master password entry.
    This is not so simple for five interacting reasons:
    (i)  It is tricky to register KeePass in PM;
    (ii) PM then gets confused by ‘hidden' entry of a master password during fingerprint login to KeePass, and repeatedly tries to save ****** as a changed master password;
    (iii) PM also tries to automatically register each entry opened for editing within KeePass;
    (iv) PM tries to automatically register other logins even if they are managed through KeePass.
    (v) Your KeePass records are now only as secure as your PM login (which is likely to be your Windows login).
    The solutions: or workarounds at least
    The best workarounds I could develop for these five issues were:
    (i) To register KeePass in PM, first ensure that PM is running (icon in the system tray). Then launch KeePass, click the login window box for unobscured password display (three blue dots turn black), enter the master password and click OK to start KeePass as usual.
    If PM does not offer to save an entry for KeePass by this stage, try ‘plan B'. Open a window to edit an entry in KeePass, then click Cancel. PM seems to recognise this more readily as a login window and may offer to create an entry. Accept the offer, and name the entry KeePass. Then open PM to edit the saved entry. You will have to edit several fields to achieve an effective PM entry for KeePass:
    The title field must be "Open database - database.kdb", to match the title of the KeePass login window.
    The file name field should show the full path to KeePass.exe (something like C:\Program Files\KeePass\PeePass.exe depending on your installation).
    The login and password data field is accessed by double clicking the entry. It will need to show only your KeePass master password (in the unobscured text view). In login and password data, delete each line of unwanted text until you get to the final password line (shown as *****), and edit this line to provide your master password.
    In the Advanced tab, select auto-fill and auto-submit and the desired security level [see (v) below]. Then select OK to get to the PM front window, and File - Save Changes, then Exit.
    Now when you close and re-launch KeePass, PM should automatically intervene (requesting a fingerprint to complete the KeePass login if you selected that security level. Select ‘No' when PM asks to change the password [see (ii) below].
    If you had no luck, try ‘plan C'. Close KeePass completely, then launch it again to open the login window. Then right-click the PM icon in the system tray, open the ‘Type and Transfer Tool', click the box for unobscured password display, type in the KeePass master password, drag the cross-hairs to the password field in the waiting KeePass login window, and release the password there. Click OK to start KeePass as usual, then click OK to close the PM transfer window. If there is still no KeePass entry in PM, check that KeePass has not been included in the PM excluded programs list. If this sequence does not work, reboot and check again. Failing all else, any entry that PM succeeds in making from any login page can be edited to an effective KeePass entry by editing fields as described above for ‘plan B'.
    PM (v3.00) can be coy to associate initially, but it will accept KeePass (v1.14) as a password-managed program, and thereafter it reliably succeeds to auto-submit the KeePass login after some help described in (ii) below.
    (ii) Having sent the correct master password to the KeePass login window, PM becomes confused by the ‘hidden' text now in the password field, and offers to change its record of your KeyPass master password to ******. You can manually select ‘No' in the PM changed-password dialogue box that appears every time you use PM / fingerprint for KeePass login. But Beware: if you ever accidentally select ‘Yes' (the default) your KeePass master password record in PM will be changed to ******. This can be edited to provide the correct password again, but it is more than a minor pain in the AR5E. Unless you know (or have a backup of) your KeePass master password you just lost access to your KeePass database!
    To avoid this big nuisance and risk, you can set up to restart KeePass for each use from a desktop shortcut (instead of minimising it to the system tray) and have the shortcut run a batch file with vbs scripts that send the ‘No' message to PM automatically.
    Here is an example batch file, with corresponding vbs scripts. You can make all these files using Notepad and save the files with the names indicated, into the KeePass program directory (C:\Program Files\KeePass in this example).
    KeePass.bat (This launches KeePass and tells PM v3 not to change the password. Caution: If Lenovo changed PM program design in future, the effect could change; the batch file might send {TAB}{ENTER} keystrokes to another open window on your computer):
    cd "C:\Program Files\KeePass"
    start " " "C:\Program Files\KeePass\KeePass.exe" "C:\Program Files\KeePass\Database.kdb"
    start /w Sleep.vbs 1
    start /w AppActivate.vbs
    start /w SendKeys.vbs
    Sleep.vbs (provides a short delay to open the ThinkVantage dialogue window, otherwise the following scripts fail because they are sent too soon):
    Wscript.Sleep Wscript.Arguments(0) * 1000
    AppActivate.vbs (puts focus on the ThinkVantage  Password change dialogue window so that Tab and Enter commands are not sent elsewhere with undesired effects):
    CreateObject("WScript.Shell").AppActivate "ThinkVantage Password Manager"
    SendKeys.vbs (sends a ‘No' response to the PM request to change its KeePass entry):
    CreateObject("WScript.Shell").SendKeys "{TAB}{ENTER}"
    Please substitute ) where you see smileywink: in the vbs scripts above - I can't get this forum window to stop automatically translating the " ) sequence of text (without a space) as an emoticon.
    This batch file approach should work with additional startup switches for KeePass, for example the /backup.path: switch used by ‘another backup' plugin (or you can use the db_backup plugin that works from the KeePass.ini file). Quotes are needed around any entry with spaces. But some things that ‘should work' such as just writing "KeePass.exe" instead of the full path in line 4 of the batch file do not give the same outcome for me. This may be an effect on timing of the switch of focus between windows - so if you strike a problem it may be worth experimenting with the delay time set through the sleep script.
    If you set KeePass to lock when minimised, you will have to deal manually with the PM changed-password dialogue every time you re-access KeePass. So it is simpler to close rather than minimise KeePass after each use and restart it when needed, via the batch file.
    (iii) You have to tell PM ‘No' whenever it offers to save an entry that is edited in KeePass. This is less of a nuisance, because entries rarely need to be edited once set up in Keepass.  There is no way to turn off this requirement. If you select ‘Never' it will prevent use of PM and therefore fingerprint entry to start KeePass (not just the edit window).
    (iv) Turn off internet login within PM. This will leave all internet logins to KeePass. Unfortunately you can not set PM to only allow a single program login (KeePass), but you can set it to exclude specific programs, so do that for other programs that you access via KeePass.
    (v) Finally, set PM security within CSS so that a fingerprint (or a password if the fingerprint reader fails) is needed every time PM is launched (not just once per boot). Similarly, set KeePass security this way within PM. Otherwise (if you set the requirement to once per boot) your passwords are open to inspection while you are away from your booted computer.
    Caution: How secure is your Windows login password? Most likely this is also your PM login password, so it now allows access to your KeePass database! Make sure that it is a unique, secure and preferably memorable password.
    How close are we now to the desired combination of security and convenience?
    Click on the KeePass shortcut to the batch file given above, swipe the fingerprint, wait while CSS works, then click on the relevant Keepass entry to access any password-protected site or application in your Keypass list - great convenience.
    Security is very strong - both KeePass and PM are extremely secure unless you use a weak or insecure master password or select less secure settings.
    Starting (or opening a locked instance of) KeePass without the batch file given above requires a couple of extra carefully-placed clicks in the process to tell PM not to mess up its entry for KeePass, then to complete KeePass startup. This is less convenient, and a mistake could prevent future database access - so the batch file method is recommended.
    A final caution (while enjoying secure & convenient logins):
    Beware - fingerprint access is so convenient that you may forget your master passwords! Eventually they will be needed! You may click the wrong button in PM, suffer a faulty fingerprint reader or change computers! Then you must recall your master passwords before you can access your password file (and possibly your computer). This could be devastating: loss of all secure password information in KeePass and PM (and possibly loss of all information on a protected computer drive, not to mention need to pay for a computer motherboard and HDD replacement). So:
    1. Choose very secure but ‘unforgettable' master passwords for KeePass and computer (PM) access.
    2. Always set up a secure master password as an alternative to biometric authentication (in case of a faulty fingerprint reader).
    3. Keep your password database backups, and your separate master password backups, in another secure (preferably encrypted) but accessible location!
    Program versions tested:
    KeePass v1.14 (v2 betas not tested) with KeeForm v2 and DB_Backup v1.14
    Lenovo CSS v8.20 with PM v3.00
    The solutions were tested in November 2008 on a Thinkpad X61 running Windows Vista Business. The tricks to interface with KeePass can vary between fingerprint programs (search the KeePass forum).
    Message Edited by r_g_b on 11-03-2008 07:01 PM
    Message Edited by r_g_b on 11-04-2008 12:00 AM

    I'm reviving quite an old topic here, but I have been unable to find any other good information on this.  I currently use the latest version of Keepass v2.23 and have Lenovo Passoword Manager v4.3 installed on my new W530 laptop.  I can't get PM to recognize any passowords at all, in web browsers or in windows application.  
    In PM the only thing I can do is create folders and secure notes.  My fingerprint software works great for automated logins to windows.  Does anyone have any experience with using the fingerprint reader with a windows application like Keepass?  
    How can I get the Password manager to do ... anything?  Recognize a password in windows or a web browser?
    I'm open to any other software to be used or I can write scripts if necessary to accomplish this.  It doesn't seem like this should be so difficult, but from what I've learned about Lenovo so far, is that nothing is easy.  After trying to get battery charge thresholds working proplery in Windows 8, I've already lost faith in a company that I thought had a great reputation.  

  • I have a password manager built into my fingerprint scanner. It worked on the older version of Firefox but it will not on this new version. It will not recognize log in pages and will not load information.

    With the old version, all I had to do was go to the log in page to any of my email accounts or membership sites and scan my finger. It would fill in the fields and open my account. I like this new version of Firefox, but if I am not able to use that password manager then I will have to install the older version.

    A 2008 black MacBook can run OS X Lion (OS X 10.7). However, if you want to use that Mac for apps that do not work with the new MacBook, I recommend you to leave it with Mac OS X 10.6.8, because OS X Lion removes compatibility with PowerPC apps.
    Do not worry about the battery of the new MacBook Pro. You can replace it yourself or take it to an Apple Store or reseller, and the cost is similar. However, it's important to take the Mac to an Apple Store or reseller if your Mac's battery fails while the Mac is in warranty, because you will get the battery replaced for free.

  • How to delete wrong passwords saved in the password manager

    Hi, made a really stupid mistake by typing in my password incorrectly twice for a new email account, and think they have all been saved in the password manager... so now, everytime when I try to log in, three passwords will come up for me to choose.... really annoying, how can I delete the wrong passwords?? Please help

    Reading between the lines (...the word entire gave me a much needed clue) I realized that both my wife and I had passwords to this website and I needed to delete both sets of lines. After months of not thinking of this system quirk it's now done. Thanks.
    Of course, I had been clicking on the entire line, username-website-password, but it hadn't been working. I had given up months ago but now just felt lucky to try again.

  • Looking for a good Password Manager App for the iPhone

    I'm looking for a good and reliable Password Manager App for the iPhone with sync capabilities on macs. I've read several reviews on several different apps on iTunes, and either they don't work properly, or they're a rip off, or they just don't sync or all of the above. Any recommendations?
    Thanks in advance.

    I've been very happy with 1Password, though I haven't used the iPhone component (not having an iPhone).
    Disclaimer: any product suggestion and link given is strictly for reference and represents my opinion only. No warranties express or implied. I get no personal benefit from the sale of any product I may recommend in any of my posts in the Discussions. Your mileage may vary. Void where prohibited. You must be this tall to ride. Objects in mirror may be closer than they appear. Preservatives added to improve freshness. No animals were harmed in the making of this post.

  • I'm looking for a simple, secure password manager. Any thoughts

    Been browsing the Apple store for a password manager.There is a couple highly rated ones.But wanted to expand my search.

    Hi Mark,
    No need to restrict your choice to the preset Pages Templates. Do a web search and choose a Word template. Pages will open Word documents and templates. Or design your own:
    This is a Table I inserted into a blank Pages Word Processing document. Format the date column in Inspector > Table > Format > Cell Format. Select the first Date cell,then drag the fill handle down to increment the dates.

  • After updating to the new browser, my password managing program could not work any longer. I had to go back to the previous version but was wondering when this can be fixed?

    RoboForm password manager stopped working when I updated to the latest version of Firefox. I will contact them as well but I am using rf version 6 and would have to pay (again) to update that program to version 7. This is a vital program because I use a lot of different sites and really would like to continue to use with the Firefox browser.

    Thanks for your help.  I had already done the "forget this device" but had forgotten about the part of entering the passcode with the keyboard in order to pair.  I found my instruction sheet after I posted my cry for help and when I did the pairing procedure right, it worked.  It's weird that it decided to unpair itself.  Both my husband and our daughter have the same keyboard and neither of them have had this happen.  At least now I know what to do if it happens in the future.

  • My Password Manager icon has disapeared from my toolbar and no longer works. I have checked all settings with no luck in getting it to reappear.

    The password manager has disappeared (icon and all) and no matter what I can't get it back & running. I have checked tools/security and all is set as should be.
    == This happened ==
    Every time Firefox opened
    == Just discovered it this A.M.

    There is No Pre-installed Youtube App in iOS 6.

  • This Nightly feedback, Steganos password Manager drop and drag functionality no longer works after last update.

    Cut and paste still works but the drop and drag so longer works.
    This for Nightly Beta 64 bit.

    I too have the problem: W7 64 bit. Drag and drop worked until yesterday when I "upgraded" to FF v 26.0 - I can no longer drag passwords etc from my password manager to website fields - a barred circle appears when I try to drag.
    I tried pressing ESC (one profferred solution) and also reset FF to no avail.
    This is more than annoying: some of my passwords are dozens of characters long and there's no way I can access sites by typing them in! I need a solution, even if it's reverting to a previous version.

  • W510: the password manager is no longer active

    Recently, I had to restore the OS, and afterward I noticed two changes:
    > The ThinkVantage Password Manager was no longer active, meaning that it no longer prompted me for passwords.
    > The fingerprint icon changed.
    Any ideas as to what I can do to get the Password Manager working again?

    iForgot iCloud Password
    Alternatives for Help Resetting Security Questions and/or Rescue Mail
         1. If you have a valid rescue email address, then use this procedure:
             Rescue email address and how to reset Apple ID security questions.
         2. Fill out and submit this form. Select the topic, Account Security. You must
             have a Rescue Email to use this option.
         3. This is the only option if you do not already have a valid Rescue Email.
             These are telephone numbers for contacting Apple Support in your country.
             Apple ID- Contacting Apple for help with Apple ID account security. Select
             the appropriate country and call. Ask to speak to the Account Security Team.
         4. Account security issues almost always require you to speak directly to an
             Apple representative to securely establish your identity as the account holder.
             You can set it up so that Apple calls you, either immediately or at a time
             convenient to you.
                1. Go to
                2. Choose Contact Support and click Contact Us.
                3. Choose Other Apple ID Topics and choose the appropriate topic for
                    your issue.
                4. Follow the onscreen instructions.
             Note: If you have already forgotten your security questions, then you cannot
             set up a rescue email address in order to reset them. You must set up
             the rescue email address beforehand.
    Your Apple ID: Manage My Apple ID.
                            Apple ID- All about Apple ID security questions.

  • Mail server reports invalid login. Retype login and server accepts it. Password Manager selected.

    TBird v 24.5 running on W7 and Avast Free AV (up to date) running.
    For years TB has been successfully accessing the pop mail account on this PC with Avast, etc...
    Recently the provider (Centurylink/Embarqmail) made some changes. I double-checked the settings against their online list of settings. Also went over them with the Tech Support folks on the phone.
    Upon opening TB, it goes to check mail and reports back:
    Sending of username did not succeed. Mail server responded Auth-status invalid login or password.
    Press OK, then select Re-type PW. Enter the same password as I always have, and select Password Manager to remember.
    TB will successfully check mail.
    Close TB, start it up again, and get the same response. Go though the same motions, and am able to get mail.
    Centurylink/Embarq has said repeatedly that I need to contact the manufacturer of TB... They say they have given me all the support and settings they can.
    I've tried changing all sorts of settings to no avail.
    Hoping that someone out there recognizes this problem and can offer a solution, or give me some items to check to get to the bottom of it.
    Thank you in advance for your time.
    System details as shown are for the PC I'm using to submit the request, not the PC I'm trying to solve the problem upon.

    You can try this:
    Open TB, go to Tools/Options/Security/Passwords, and click saved passwords. Select (click) the email with the password issue, and then click remove. Restart TB.
    The password prompt comes up. Enter password, check the remember option, and see if that fixes the issue by restarting and seeing if it logs in without issue.

  • HP Protect tool password manager not working with the new version of Mozilla: I got this alert: "Firefox doesn't know how to open this address, because the protocol (dpql) isn't associated with any program." please help

    I have an HP ProBook 4520s. I have been using HP Protect tool's Password manager to store and manage my passords for all Login websites in Firefox 3.6. As a result, I just swiped my fingerprint to log on to any website.
    After I installed the version 4 of Firefox, my all my login details do not work anymore. I have tried to reset them but I repeatedly get this error: "Firefox doesn't know how to open this address, because the protocol (dpql) isn't associated with any program."
    something like this would have been passed onto the address: "dpql://c:\program%20files%20(x86)\hewlett-packard\hp%20protecttools%20security%20manager\bin\dpminionlineids.dll/qlinkload.htm#id=2".
    Although the password manager works with Internet Explorer 9, I need it to work with Firefox 4 as this is my preferred browser.
    Please help. Thank you!

    I guess this means that IE is more user friendly for HP Password Manager finger swipe recall of passwords, a favorite of mine. I still don't see a post from Firefox as to why they haven't produced fix. So I'll switch to IE until things change. I don't see value in downgrading to a Firefox version that's no longer going to be supported.

  • Norton password manager does not work on 8. How do I return to a previous version?

    when I updated to firefox 8, Norton password manager does not work. How can I return to a previous version. I am surprised that you introduced an update missing this.

    Norton needs to be updated.

  • Using "Keychain Access" as a Password Manager

    Hello All,
    While searching for a secure, trustworthy password manager I started wondering why I couldn't just use Keychain Access built into the Mac OS.
    I've tried others and they're all nice in their own way but why not use what's already there?
    Any suggestions, concerns or gotchas are welcomed.
    Thanks in advance for your time.

    You can also change the security settings on your keychain and/or create additional keychains. So you might have one keychain with especially secure settings for certain items and another with less secure settings for others. Moreover, you can adjust some settings for each item within a keychain, as well.
    Or you can do what I do which is set up several keychains and then render the whole system entirely pointless by saving the passwords in your original keychain because you are terrified you'll forget them otherwise... (I don't actually know why I set them up this way...)
    My login password is not my keychain password and my keychain locks after a minute, I require a password to wake from sleep/screensaver (though this does not always work properly) and sensitive items require re-entry of the keychain password anyway. So you can set things up so your keychain is more secure if you want to, at the price of some increased inconvenience.
    - cfr

  • I can't get my password manager working. It remembers passwords for websites but when I enter in a new password (because this had to be changed) or when I have a new username + PW that I wish to save, the password manager does not appear.

    I can't get my password manager working. It remembers passwords for websites but when I enter in a new password (because this had to be changed) or when I have a new username + PW that I wish to save, the password manager does not appear.

    If you updated your existing account then try logging out of it on the iPhone by tapping on the id in Settings > iTunes & App Stores and then log back in and see if that 'refreshes' the account on the iPad.
    If you created a new account then you can log out of the old account and in with the new one as above, but any content that you purchased/downloaded via the old account will remain tied to that old account, and only that old account can re-download its content and download updates to its apps.

Maybe you are looking for

  • Unable to print wireless from desktop

    Unit: HP OfficeJet 6500 E709n Wireless Originally setup to print w/USB connection set as USB002 by system default. When I setup a wireless system for my laptop, the HP unit automatically recognized the laptop and printed w/o issue(s). I recently adde

  • Printing of Arabic Report 10g on Printer

    Hi, I have created a 132 column arabic report in 10g. While calling the same from form as HTML format, it displays all the labels and values fully. When i direct the same to dot matrix printer, the font size is getting bigger and becoz of this, only

  • Not able to download with Firefox 9.01 on OSX 10.7.2

    Hi I was not able to download the LR 4 Beta 1 with Firefox 9.01 on OSX 10.7.2, The Browser just got into a loop. no problem with Safari Version 5.1.2 (7534.52.7) br Mike

  • IPhone 4S weird noise

    I've only recently just got an iPhone 4S (about 2 weeks ago). This is my frist iPhone and i'm quite happy with it. About a week ago I was mucking around on my laptop with my headphones on. I was on my bed with my phone next to me. I'd just finished l

  • Ceo email address required as at my wits end

     Having been advised last march to change to bt business from domestic my company has voluntary folded. I have contacted bt to inform them that the property has been vacated and paid for the termination of contract on top of all the other charges and