Customize the Password requirement Strength for the Reset Password form - Support and Troubleshooting

Customize the Password requirement Strength for the Reset Password form Issue As most users of the ServiceNow application probably already know, the default password requirements enforced on the password reset screen are as follows:

The changed password must contain at least 8 characters. The changed password must contain at least one lowercase letter and one uppercase letter. The changed password must contain at least one number. In many cases this default password requirement may be sufficient for most installations, however, in order to keep up with changing security risks and requirements, an organization may want to change the requirements that an end user must fulfill when changing his or her password. This article will describe how the specific password requirements can be changed for the self-service password reset functionality on an instance.

Resolution The following steps can be used to configure the specific password requirements and strength for a user using the self-service password reset option in the system.

First, log into the instance with an account having one of the following roles assigned; admin, password_reset_admin, or password_reset_credential_manager.

Browse to the following location on the instance: System Definition > Installation Exits .

A list of the various Installation Exit records on the instance will be displayed. In this list locate the Installation Exit record with the name ValidatePasswordStronger and open this record for editing.

The Script field contains a Javascript function which is used to process a specific string passed in to determine if that string is of sufficient strength to fulfill the password requirements needed on this instance.

The script in the process: function() function is basically a series of Javascript statements and objects that will review the string value from the user_password value passed in from the password reset screen. The script would use various functions and operations to validate that this string fulfills all the necessary requirements. The out-of-box version, as mentioned previously will check a number of requirements on this password using various functions of the JavaScript String object as well as wide use of Regular Expressions (RegExp) to validate that the new password fulfills all requirements. This script can thus be modified as necessary to contain the new requirements for the users set passwords. The function will return a value of true or false. A value of false indicates the string passed in fails the validation and the password cannot be set to this value (failing the attempted password change) or a value of true which indicates the string to be used for the new password does fulfill the new requirements (as reviewed in the script) and the password change can be performed.

Once the script has been modified as needed for proper password validation, click the Update button to Save the change.

For example, say we intend to enhance the Password Reset requirements slightly in such a way that we now modify the requirements so that the password must now be 10 or more characters long, must include at least 2 digits, must contain at least one lower case letter and at least one upper case letter. We might first modify the Script field in ValidatePasswordStronger Installation Exit record to include these new requirements.

Any new usage of the Password Reset screen will then enforce the requirements as per this new script. However, there are a few other changes that the admin may also want to perform on the instance in order to cause the user's password reset experience to be a positive one. Thus, there are several other configurations you may want to modify regarding the password reset screen and procedure. These changes would mostly consist of modifications to the Credential Score record associated with the user's login system.

The following steps show how this might be modified:

From the Menu Navigator browse to the following location: Password Reset -> Credential Stores .

A list of credential stores will appear. Select the appropriate Credential Store (for instance, in an out-of-box instance this would be the Credential Store with the name Local ServiceNow Instance ) from the list to open the record for editing.

The Credential Store record should open for editing.

Most of these options should probably be left as they are currently set. However, there are a few changes that you will probably want to perform on the record.

First, the Password rule hint is an HTML area field that will display to the user on the Password reset page which lists the password complexity requirements for setting the password in a format that will be informative to the user who is attempting to set the password. This should be modified to indicate the specific requirements as set in the script field from the Installation Exit record as described above.

The Password rule Script field will probably not need to be changed. However, it may need to be verified that the field calls the function from the Installation Exit record as modified previously in this article. Note that an alternative approach would be to create a new Installation Exit record containing the new password requirement check script and then modify the Password rule script field to call that function instead.

The Enable Password strength option (and corresponding Strength rule Script field) can be used to display a graphical display showing the relative strength of the password as compared to the requirements as provided in the script in the Strength rule script field. If the Enable Password Strength checkbox is selected, the display will show a meter indicating the strength of the password in which the user is entering on the password change form.

If the Enable password strength option is selected, the Strength rule field should be modified accordingly so that it provided an accurate depiction of the actual strength of the password as the user types his or her choice of password into the password field. The function is intended to return a numerical value (from 0 to 100) indicating the relative strength of the password as selected by the user. A 0 would indicate a completely invalid password (as per the password requirements) and the values from 1 to 100 would indicate how secure this password would be in accordance with the password requirements, with a higher value indicating a stronger or more secure password as per the value specified in the code in their Strength rule field.

Note that the functionality of the Password Strength has no bearing on whether the actual password can be changed to a specific value. If the ValidatePasswordStronger Installation Exit Script returns a value of true, the password can be reset regardless of the strength value returned from the value as returned in the Strength rule field.

For our example, we would thus want to modify the script to account for the new longer requirements as well as the enhanced requirement for two numerical digits (vice the previous requirement of one). In addition, to aid the end user we would want to update the Password hint field to display these new requirements.

After all the necessary modifications have been made to the Credential Store record, click the Update button to save those changes.

To test the change, the user should first log out and back into the instance. Once logged back into the instance browse to the following location on the instance: Password Reset -> Change Password .

There are, however, a few important notes that should be considered in the modification of this password reset functionality:

Related Links In addition to the user-generated password complexity requirements, an additional password requirement is also enforced at the system level, which is that a user-set password cannot be blank.

When using the password reset screen, the system will automatically verify that the Old password is correct and also that the New password and Retype password fields are identical.

If a system admin uses the password reset functionality to reset a password directly from the User record, this will bypass the password complexity rules as described in this article.

If an instance is integrated to a local LDAP server or is using an SSO solution, any password reset functionality and login functionality is handled in a different manner and performing the steps in this article will not modify that password reset behavior.

As with any customizations to an instance, any changes to this password reset functionality should be thoroughly tested in a development instance before moving the changes to a production instance.

The Password Reset Windows application does not support and thus will not display the Password strength information in that application.

There is also an option, titled Enforce history policy that can be selected to prevent users from using a recently used password. If this option is selected, please see the following KB article which describes the steps to prevent re-use of recent passwords on the ServiceNow instance"

Prevent users from re-using recent passwords on the Password Reset screen