Strengthening password validation rules

You can customize password strength validation rules for the change password screen by overriding the installation exit associated with password validation.

Procedure

  1. Navigate to System Definition > Installation Exits.
  2. Locate ValidatePassword and ValidatePasswordStronger. Both of these are inactive.
  3. The ValidatePasswordStronger script (below) is a sample script that overrides the ValidatePassword script by using regular expressions to require that passwords be a minimum of 8 characters long, contain a numeric digit, and contain mixed-case letters.
    gs.include("PrototypeServer");
      var ValidatePasswordStronger = Class.create();
      ValidatePasswordStronger.prototype = {
           process : function() {
              var user_password = request.getParameter("user_password");
              var min_len = 8;
              var rules = "Password must be at least " + min_len + 
                 " characters long and contain a digit, an uppercase letter, and a lowercase letter.";
              if (user_password.length() < min_len) {
                 gs.addErrorMessage("TOO SHORT: " + rules);
                 return false;
              }
              var digit_pattern = new RegExp("[0-9]", "g");
              if (!digit_pattern.test(user_password)) {
                 gs.addErrorMessage("DIGIT MISSING: " + rules);
                 return false;
              }
              var upper_pattern = new RegExp("[A-Z]", "g");
              if (!upper_pattern.test(user_password)) {
                 gs.addErrorMessage("UPPERCASE MISSING: " + rules);
                 return false;
              }
              var lower_pattern = new RegExp("[a-z]", "g");
              if (!lower_pattern.test(user_password)) {
                 gs.addErrorMessage("LOWERCASE MISSING: " + rules);
                 return false;
              }
              return true; // password is OK
           }
      }

    The script variable created by Class.create() must have the same name as the installation exit itself – "ValidatePasswordStronger" in this example. The script implements the process() function which returns true if the password is acceptable and false if the password must be revised. The gs.addErrorMessage function can be used to return error messages on the change password screen. You can try this Installation Exit in your instance by checking the active flag and updating the record. Be sure and clear the cache after doing this so the change is recognized.

    Also, keep in mind that modifying these scripts will not change the default ServiceNow behavior: Blank passwords are still prohibited by default and the password and verify password fields must match.

Result

To test, check the Password needs reset box on a user record then login with that user. Validation will occur at the point that the user attempts to set the password. Validation does not apply when an admin user updates the password in the user record directly (the admin can put anything in the password field).

Note: The change password screen only applies to customers who do not use single sign on and are not integrated with their local LDAP.