Password Policy Enforcement on External Apps
My1Login provides a comprehensive set of features for managing and enforcing password policies across your enterprise. This guide will walk you through various methods for enforcing password policies using My1Login, including automatic password generation, updates, and strategies to mitigate the risk of user circumventing the process.
Automatic Password Generation for All Web Apps
My1Login can automatically generate strong, random, high-entropy passwords for user accounts on compatible web applications. This ensures user passwords are both secure and unique.
How to Enable Automatic Password Generation
- Log in to your My1Login Admin portal and navigate to the Settings tab
- Find the “Allow Generic Password Change” option and enable it.
Using the Feature during Registration
My1Login will typically automatically detect registration pages and prompt users to use a generated password.
Using the Feature on Password Change Pages
When a password change page is detected, either as a result of the application prompting the user to change password, or as a result of the user navigating to the change password page of a web application, My1Login will prompt the user to generate a new password.
Users can choose to associate the password with a different username if required.
Automatic Password Generation for Specific Web Apps
If you need to test or apply automatic password generation for specific web applications the following method can be applied.
How to Configure for Specific Apps
- In the Admin portal, navigate to the Apps > Applications screen.
- Create a new password policy by clicking on the shield icon within an application
- Test and enable automatic password generation for this specific app.
Additional Security - Hiding Passwords
Admins can choose to hide the newly generated passwords from users on the My1Login system to mitigate the risk of users compromising passwords or being phished for them.
Automatic Password Updates for All Web Apps
Enabling the Generic Password Change feature will also activate the functionality that automatically attempts to detect when the user has landed on the password change page of a compatible web application. It will then prompt the user to click and trigger the process of generating a new password, updating this on the external application, then updating the user’s credentials stored within My1Login.
How to Enable Automatic Password Updates
Enable Generic Password Change as per the section called "Automatic Password Generation"
Password Update Process
- When a password change page is detected, My1Login will prompt the user to initiate the update.
- My1Login will handle the process of updating the password on the external application and in the My1Login system.
Automatic Password Updates for Specific Web Apps
Where required, Automatic password updates can be tested and enabled only for specific web sites by creating a password policy within the Applications area of the Admin portal for the relevant application.
Configuring for Specific Apps
- In the Admin portal, go to the Apps > Applications section.
- Create a new password policy by clicking on the shield icon within an application
Applying Password Changes
Default Credentials
Automatic password change functionality can be configured to run for users when they reach a password change page on compatible web applications.
Different Credentials
My1Login will attempt to detect the account that was used to log into the application that is prompting the user to change their password. However, if the password change needs to be applied to a different set of credentials i.e. where an administrator is setting passwords for a user, the administrator can click on a list of usernames to select the relevant account for which the password change should be performed.
Scripted Password Policy Enforcement for Specific External Apps
My1Login can automatically generate long, strong, high-entropy passwords and pro-actively update these for external applications. Where My1Login cannot directly manage password policies, scripted enforcement can be used.
Please contact your Customer Success team to discuss requirements.
How to Implement Scripted Enforcement
Set Up Policies
Define policies to update passwords on external applications based on:
- Time intervals.
- User login.
- Password change page visits.
Hide Updated Passwords
Admins can choose to hide updated passwords from end-users to minimize phishing risks.
Note:
End-users can still seamlessly access the application via My1Login but are unable to view the password for that application in the My1Login portal. This can mitigate phishing risks since users would not necessarily know the passwords for the applications they access and therefore cannot succumb to a phishing attempt.
Custom Scripting
Custom scripts may be required, and compatibility depends on the external application’s configuration. If the external web application changes its configuration this may impact the ability of the password change script to be effective.
Automatic Password Updates for Windows Desktop Apps
Automatic updates for Windows Desktop applications may be supported, but this is dependent on the application’s ability to detect password change windows and is therefore not possible for all Windows Desktop applications.
Configuring for Desktop Apps
Check Compatibility
Confirm if the target Windows Desktop application supports password change detection.
Configure Updates
If supported, set up scripting to handle automatic updates.
Mitigating Risks of User-Invoked Password Resets
Where My1Login has been utilised to enforce password policies there is still a residual risk that users may trigger a password reset on the external application that enables them to reset the application password and circumvent My1Login.
To address the risk of users manually resetting their passwords and circumventing My1Login policies.
How to Mitigate Risks
Configure Mail Filters
Set up filters to redirect or manage password reset emails based on best match criteria such as sender address, subject line, or content.
Monitor for Alerts
Use filters to alert administrators when password reset attempts are detected.
For Microsoft Exchange Users
Set up appropriate rules in the Exchange admin center to handle password reset emails.
By following these steps, you can effectively use My1Login’s Enterprise Password Manager to enforce robust password policies and enhance your organization’s security posture.
Related Articles
Resetting your My1Login Admin User Password
Before resetting your Admin password, make sure that the ADC is running or that there is another Admin that can access the My1Login Admin portal. Once you have confirmed that either: Your company's My1Login Active Directory Connector is running or ...Changing your My1Login User Passphrase
Web Admins & Web Users Changing Passphrase: Web users can change their passphrase whilst logged in to My1Login. Select their username in the top right corner and then select Profile. For forgotten passphrases please see: Admins: Resetting your ...My1Login Profile Settings Guide
Settings The Settings tab is where you can set options across the account for all users, specific groups, and administrators. Account Settings Profile Multiple profiles can be made to apply different settings to users via workgroup memberships. If a ...Sharing Credentials with Users or Groups
Application credentials can be shared with other users or groups in your organisation. The ability to share identities is controlled within the admin settings. This guide will take you through the steps required to do this. Permission to Share ...Creating Users on My1Login
Active Directory Integrated Customers Directory integration enables users to be automatically provisioned or de-provisioned in My1Login based on their directory status (i.e. active, disabled, deleted). Users, groups and Organisational Units (OUs) can ...