Learn how to configure, enforce, and maintain robust password policies within Delinea Secret Server — covering requirements, character rules, dictionary enforcement, and policy assignment.
10
Modules
~25
Minutes
1
Quiz
🗂️
Navigating to Password Policies
Module 02 · Setup & Access
Password Requirement policies in Secret Server define how passwords are generated and validated. Before creating or editing a policy, you need to navigate to the correct area in the admin console.
📍 Prerequisites
You must have the Administer Password Requirements role permission. Users without this permission will not see the Password Requirements menu.
Log into Secret Server
Sign in with an account that holds the Administer Password Requirements role permission. Use your organisation's Secret Server URL (e.g. https://secretserver.yourorg.com).
Open the Admin Menu
Click Admin in the top navigation bar to expand the administration dropdown menu.
Navigate to Password Requirements
Follow this path in the admin panel:
Admin›Security›Password Requirements
Create or Edit a Policy
Click + Create New to define a new policy, or click the name of an existing policy to edit it.
🔐
Password Requirements Overview
Module 03 · Core Configuration
A Password Requirement is a reusable policy object that defines the rules a password must follow. These policies are then linked to Secret Templates so that every secret using that template inherits the rules automatically.
Field
Purpose
Default
Name
Unique identifier for the policy
—
Description
Human-readable notes about policy purpose
—
Min Length
Shortest allowable password
8
Max Length
Longest allowable password
255
Use Dictionary
Block passwords matching dictionary words
Off
History Count
How many previous passwords to remember
0
⚠️ Best Practice
Give each policy a descriptive name such as "Windows Server Accounts — High Security" or "Service Accounts — Compliance" to make template assignment clear and auditable.
📏
Length & Complexity Settings
Module 04 · Length Rules
Password length is one of the single most impactful factors in password security. NIST SP 800-63B recommends a minimum of 8 characters for user-managed passwords and 6 characters for machine-managed or randomly generated ones — though longer is always better.
Use Case
Recommended Min
Recommended Max
Complexity
Privileged Admin Accounts
20+ chars
64+
High
Service Accounts
16+ chars
64+
High
Standard User Accounts
12+ chars
64
Medium
Legacy System Accounts
8+ chars
16
Low
Some legacy systems silently truncate passwords beyond a certain length, which can cause generated passwords to appear correct during creation but fail during rotation. Always check the target system's maximum password length before setting the Secret Server policy.
Secret Server's built-in password generator will refuse to generate a password longer than the configured maximum. If a generated password doesn't meet all requirements, it will retry up to 100 times before throwing an error — so ensure your character requirements are satisfiable within your length constraints.
Secret Server supports passwords up to 255 characters in the password field. The practical limit for remote password changing may be lower depending on the target system (e.g. Active Directory supports up to 256 Unicode characters, while some Linux PAM configurations may vary).
🔣
Character Set Rules
Module 05 · Character Configuration
Secret Server lets you define precisely which character types are required, allowed, or forbidden — and how many of each must appear in a valid password.
Character Type
Setting Options
Example Characters
Uppercase Letters
Min count / Max count / Allowed
A B C … Z
Lowercase Letters
Min count / Max count / Allowed
a b c … z
Numeric Digits
Min count / Max count / Allowed
0 1 2 … 9
Special Characters
Min count / allowed set / forbidden set
! @ # $ % ^ & *
Spaces
Allowed / Not Allowed
[space]
⚠️ Forbidden Characters
Use the Excluded Characters field to list characters that Secret Server's generator and validator will never use. For example, exclude | ` ' " < > if they cause issues in scripts or terminal emulators.
🚫 Common Mistake
Setting a minimum count that sums to more than your minimum length will cause password generation to fail. For example: requiring 5 uppercase + 5 lowercase + 5 digits + 5 special = 20 chars minimum, but setting min length to 12 is a contradiction.
📖
Dictionary Checks
Module 06 · Advanced Validation
Dictionary checking prevents passwords from containing common words, phrases, or strings found in a configurable word list. This protects against dictionary attacks even when complexity rules are met.
Enable Dictionary Checking
In the Password Requirement editor, toggle Use Dictionary to Yes. This activates the word list selector.
Upload or Select a Word List
Navigate to
Admin›Dictionary
to upload a .txt file with one word per line, or select an existing list.
Choose Matching Mode
Exact Match — rejects the word if it appears exactly. Contains Match — rejects any password that contains the word as a substring. Contains mode is more secure but can be restrictive.
Use the interactive demo below to see how dictionary matching works. Click a word to toggle its blocked status, or type a new word to add it to the list:
💡 Recommended Word Lists
Consider using industry-standard lists like the NCSC Password Blacklist or HaveIBeenPwned top 100k list for maximum protection. Delinea supports importing any line-delimited .txt file.
🔁
Password History & Rotation
Module 07 · History Enforcement
Secret Server can store and enforce password history to prevent users from cycling back to previous passwords. This is configured per policy and stored securely in the vault.
Setting
Description
Recommendation
History Count
Number of previous passwords remembered and blocked
10–24
Min Age (days)
How long before a password can be changed again
1 day
Max Age (days)
Forces rotation after N days (triggers RPC)
90 days
Expiry Warning
Days before expiry to show warning in UI
14 days
If Remote Password Changing (RPC) is enabled on the template, Secret Server will automatically generate a new password per the policy and push it to the target system. If RPC is not configured, the secret will be flagged as "Expired" in the UI, requiring manual intervention by a user with edit access.
Users with the Bypass Password Requirements on Manual Change role permission can override history and complexity rules when manually editing a secret. This permission should be granted sparingly and audited regularly.
Historical passwords are stored encrypted in the Secret Server database using the same AES-256 encryption as active secrets. They are never exposed in the UI — only the hashed comparison is used during validation.
📋
Assigning Policies to Templates
Module 08 · Template Association
A Password Requirement policy only takes effect when it is linked to one or more Secret Templates. Every secret created from that template will then have its password field validated and generated according to the policy.
Open Secret Templates
Navigate to
Admin›Secret Templates
and click the template you want to update.
Edit the Template
Click Edit on the template detail page to enter edit mode.
Locate the Password Field
In the Fields section, click on the field with type Password to open its settings.
Set Password Requirement
In the field settings, find the Password Requirements dropdown and select your desired policy. Save the field, then save the template.
⚠️ Existing Secrets
Changing a template's password requirement does not retroactively validate or change existing secrets. It will only apply to new secrets created with that template, or when a password is next changed via the UI or RPC.
🧪
Policy Simulator
Module 09 · Interactive Practice
Use this simulator to build a password policy and test passwords against it in real time — just like the Secret Server interface.
⚙ Policy Builder
Require no repeating characters
e.g. "aaa" would be rejected
Dictionary check enabled
Block common words & phrases
Disallow spaces
Password cannot contain spaces
🔍 Test a Password Against This Policy
👁
Password strength—
Min length met
Uppercase chars
Lowercase chars
Numeric digits
Special characters
Under max length
No repeat chars
Not in dictionary
🎯
Knowledge Check
Module 10 · Assessment
Test your understanding of Delinea Secret Server password requirements. Click an answer to reveal the result.
1. Where in Secret Server do you create a new Password Requirement policy?
Admin › Templates › Password Fields
Admin › Security › Password Requirements
Admin › Configuration › Local User Passwords
Users › Roles › Password Policy
2. If you require 4 uppercase + 4 lowercase + 4 digits + 4 special characters, what is the absolute minimum password length that makes sense?
8 characters
12 characters
16 characters
20 characters
3. After changing a Secret Template's password requirement, what happens to existing secrets created from that template?
All existing passwords are immediately rotated
Existing secrets are flagged as non-compliant and locked
Existing secrets are unaffected; the new policy applies only on next password change
The template change is rejected unless all secrets already comply
4. What does "Contains Match" mode do in dictionary checking?
Only rejects passwords that exactly match a dictionary word
Rejects any password that contains a dictionary word as a substring
Checks the password against a remote threat intelligence feed
Compares the password against the user's previous 10 passwords
5. Which role permission allows a user to bypass complexity rules when manually changing a secret's password?
