Manage Password Policies for Disconnected Accounts

When you enable disconnected account management (DAM), a default password policy is defined. You can also define password policies on a per-list basis. If no list-specific policy has been created for a list, clients of the list will use the default policy.

Understand How Policies Affect Derived Password Generation

Once a secret has been generated and stored on the endpoint, it can begin deriving passwords. If a password set time has not been saved or if the password expiration time has elapsed, a new password will be derived from the stored secret and set for the local account. The password expiration time is calculated based on when the secret was obtained from the server and the password update frequency defined in the password policy.

Because the secret is generated on the server and saved on the client, the secret set time is always known by both systems. Therefore, the set times on the endpoint cannot drift over extended operation. Even if the update process cannot run for an extended length of time, such as when an endpoint is shut down, the password will be changed immediately when the update process is re-enabled, and the password will be re-synchronized with the value derived on the server. The endpoint also attempts to update its information on the server each time a new secret is obtained or when a new password is derived and set. However, since we expect the system to be disconnected, we also expect this update to be infrequent.

The algorithm used to derive the password from the stored secret depends on the password policy settings. Two types of password policies can be applied globally and/or per list:

  • Simple hashing password generation
  • Admin-defined password generation

Password policies let you configure the endpoint secret and password generation interval, set a wild card matching string to determine which endpoints are affected by each policy, and define the format for derived passwords. The password policy is copied to the endpoint as part of the endpoint enrollment process, and the policy is updated each time the endpoint obtains a new secret.

The default password policy is defined on the server as part of the web app settings. Unless otherwise specified, the default policy generates a new secret every 7 days and a new password every 24 hours, using the simple hashing algorithm.

Each endpoint will use exactly one policy. If an endpoint matches more than one policy, the first match is applied.

The endpoint determines when a new secret is required based on when the existing secret was generated and the current time on the endpoint. The endpoint determines when a new password is needed based on the last time the password was set and the current time. A new password is always set immediately when a new secret is generated and stored on an endpoint.

Create a List Policy

You can create list policies either from the web application or programmatically.

  1. Log into the web application as an All Access user.
  2. Select Passwords > Disconnected Accounts.
  3. Click the List Policies button (gear) in the list row.
  4. Click the Create New Policy button (+) at the top of the page.
  5. Define the following policy elements:
    • Machine Type Filter: Enter a string to specify the types of systems to which this policy should apply. If you set it to an asterisk (*), it will apply to all systems enrolled in the list.

      For more information about filters, please see Apply Policies Based on Machine Type.

    • Secret Update Frequency: Set how often a new secret should be generated on the server. The default is 168 hours (7 days). The next time the managed system connects to the web service, if the secrets are mismatched, the managed system receives the latest secret.
    • Password Update Frequency: Set how often a new derived password should be generated. The default is 24 hours.
    • Simple Hash: If you select this option, then a password derived from the client secret will be a 14-character, random string of uppercase letters, lowercase letters, and numbers.

      If you do not select this option, then set the following options for passwords derived from the client secret:

      • Password length: Set how many characters to include in the password. The maximum is 127 characters.
      • Numbers: Set if the password can contain numbers.
      • Symbols: Set if the password can contain special characters.You can leave the text field blank to allow all possible symbols, or you can define an allowed list of symbols.
      • Note: To avoid causing code issues, you may not specify a slash (/), backslash (\), colon (:), semicolon (;), or quotation mark (").

        Some databases accept only the special characters hash (#), underscore (_), and dollar sign ($)

      • Lowercase letters: Set if the password can contain lowercase letters.
  6. Click Create.

Apply Policies Based on Machine Type

The machine type filter is a wild card string that sets the policy to be used for any client systems with a matching machine type. The machine type identifies the endpoint's platform and system type. This string is generated by the endpoint itself when the client script runs. The Windows service and Python script generate machine type information in different formats:

OS Version Windows Script
Machine Type String
Python Script
Machine Type String
Windows Vista Microsoft Windows NT 6.0.6000 Vista-6.0.*
Windows Server 2008 Microsoft Windows NT 6.0.* Vista-6.0.*
Windows Server 2008 R2 Microsoft Windows NT 6.1.* Windows-7-6.1.*
Windows 7 Microsoft Windows NT 6.1.7600 Windows-7-6.1.*
Windows Server 2012 Microsoft Windows NT 6.2.* Windows-post2008Server-6.2.*
Windows 8 Microsoft Windows NT 6.2.* Windows-post2008Server-6.2.*
Windows Server 2012 R2 Microsoft Windows NT 6.3.* Windows-post2008Server-6.2.*
Windows 8.1 Microsoft Windows NT 6.3.9600 Windows-post2008Server-6.2.*
Windows Server 2016 Microsoft Windows NT 10.0.* Windows-post2008Server-6.2.*
Windows 10 Microsoft Windows NT 10.0.10240 Windows-post2008Server-6.2.*
SLES 12   Linux-4.4.21-69-default-x86_64-with-SuSE-12-x86_64
Raspberrry Pi (Debian)   Linux-4.4.21-v7+-armv7l-with-debian-8.0
OSX (Sierra)   Darwin-13.4.0-x86_64-i386-64bit

Note: In the examples above, the specific patch level is replaced with an asterisk (*), because the exact number varies.

While not all versions and distributions are shown, this table should provide a guide to relative formats. If you have a question about a specific format, you can run the endpoint client and observe what it reports. With the Python client, you can also start a Python session and run:

  • import platform
  • print platform.platform()

Examine Password Generation Settings

The default derived password generation algorithm uses an MD5 hash combined with simple transforms to derive passwords with a simple, fixed format.

The first time a password is generated, the secret is hashed using MD5 to ensure good data distribution for the resulting hash. The resulting 64 bytes of binary data are interpreted as 32 hex-encoded characters. The first two hex digits are replaced with a question mark (?) to make sure the password contains a special character. The next fourteen characters are lowercase letters and numbers, and the remaining sixteen characters are uppercase letters and numbers.

For each following password generation, the previous derived password is used to generate a new MD5 hash (similar to how the secret is used the first time), and the same password derivation algorithm is applied to that hash.

Below is an example of a simple hashing password generation over two cycles:

Secret pFKiZUQFIl3yJi4H1UvEb3gTRbADrV7E
  MD5 Hash
MD5 hash for first cycle 359df6d30033ed522c057ce5b5bdda96
  Transform
First password ?9df6d30033ed522C057CE5B5BDDA96
  MD5 Hash
MD5 hash for second cycle 964d3ffe07680f9b1696543c1dc634d8
  Transform
Second password ?4d3ffe07680f9b1696543C1DC634D8

Derived password generation for a defined password policy is similar to the default method.

The first time a password is generated, the secret is hashed using MD5 to ensure good data distribution for the resulting hash. The resulting 64 bytes of binary data are interpreted as 32 hex-encoded characters. The process calculates the set of possible ASCII characters the resulting password can contain. In total, 95 characters are possible:

26 uppercase (always used) ABCDEFGHIJKLMNOPQRSTUVWXYZ
26 lowercase abcdefghijklmnopqrstuvwxyz
10 numbers 0123456789
33 symbols [space] , . < > / ? ; : ' " [ ] { } \ | ` ~ ! @ # $ % ^ & * ( ) - _ = +

The set of allowed characters is constructed by adding all uppercase letters, all lowercase letters (if allowed), all numbers (if allowed), and all symbols (or the allowed symbols in the order they appear in the allowable symbols string). For each type of character that is not allowed, the size of the character set decreases. If a specified symbol set is used, the set size is decreased by the number of symbols that are not allowed.

Each two bytes of the binary data are interpreted as a decimal number between 1 and 255. That number is divided (mod) by the size of the allowable character set to get an index in the array of possible characters. One hash can generate a password up to sixteen characters. If the policy requires a longer password, another MD5 hash is generated from the first portion of the derived password, and that new hash is used to generate more characters, using the same method as before.

The remainder of this section looks at an example policy with a length of twenty characters, using uppercase and lowercase letters and numbers but no symbols:

Index Value Character Result
0 A
1 B
26 a
27 b
52 0
53 1
60 8
61 9

Below is an example of conversion from a 2-byte hash value to a password character:

Machine secret BQgApSMIqsHBD3xUlK1vLbtHb2uo6Gr3
  MD5 Hash
MD5 hash a60b978fc6d0364de97aa218d0b15272
First 2 bytes a6 (166 in decimal)
Character set size 95-33=62 (subtract symbols)
Character index mod 166 % 62 = 42
Character at index 42 in character set q

Below is an example of a defined policy password generation over two cycles:

Secret BQgApSMIqsHBD3xUlK1vLbtHb2uo6Gr3
  MD5 Hash
MD5 hash for first cycle a60b978fc6d0364de97aa218d0b15272
  Convert to password characters
First 16 characters of first password qLbTMW2Pv8mYW1U0
  MD5 Hash first 16 characters
MD5 hashfrom first 16 characters 70f18a8ff78f83ab64124276af3aad98
  Convert to password characters
Remaining 4 characters of first password y3OT
  Append results for password
First password (16 + 4 characters) qLbTMW2Pv8mYW1U0y3OT
  MD5 Hash
MD5 hash for second cycle 2977bfc0f1fb2fec8f8b7e501b97388d
  Convert to password characters
First 16 characters of second password p5FG3DvyTPCSbb4R
  MD5 Hash first 16 characters
MD5 hash from first 16 characters ae0b4ad18c6503fd7ed243cbc57c0566
  Convert to password characters
Remaining 4 characters of second password yLMX
  Append results for password
Second password (16 + 4 characters) p5FG3DvyTPCSbb4RyLMX