Password management systems store passwords for users when requested by the user, administrators, or other systems. The passwords managed by these systems can be used to validate users during login, synchronize passwords to other systems, and/or provide single sign-on services.
Security administrators configure password management systems with password policies to encourage their users to choose good passwords. The password policy may include password syntax rules, disallowed passwords rules, and password lifetime rules. Password syntax rules may include such rules as minimum and maximum password length, minimum and maximum number of characters from a character group, and/or the number of unique characters. Disallowed password rules specify strings that can not be the password or in some cases included in the password. These rules could disallow strings such as the user's current or previous passwords, words found in a dictionary, or user data such as telephone number, full name, or login name. Password lifetime rules may specify the minimum amount of time that must pass before the password can be changed and/or when a password expires and can no longer be used to authenticate the user.
Typically, when a password management system receives a request to store a password, it first verifies that the password meets the configured password policy. When the password is changed, the password management system adds the previous password to the user's password history. The password history also stores the time that each password was added to the password history. One of the purposes of the password history is to enforce the rule that disallows the reuse of previous passwords.
Because security administrators have the capability to change or turn off a password policy, it is difficult for security administrators to demonstrate to security auditors that the passwords chosen by users and administrators comply to the passwords policies. There are no password management systems that provide a mechanism for security administrators or security auditors to analyze and report that current and previous passwords comply with the password policy.
Thus, what is needed is a mechanism to analyze and report compliance of current and previous credentials to an enterprise credential policy.