====== Password and identity ======

Each identity can have its password. Password can be created through frontend agenda or during failed or successful login attempts.

When an identity was created by synchronization, the password object including metadata **isn't created**.

Password can't be created by some frontend form. Password will be created **only by internal process** IdM.

===== Password change form =====

Password change form is accessible from identity detail via the **Password** submenu.

{{ :devel:documentation:identities:adm:pass001.png |}}

Password change form can also be accessible by dashboard button **Password change**.

{{ :devel:documentation:identities:adm:pass002.png |}}

For accessing this form you will need permission ''IDENTITY\_PASSWORDCHANGE'' or ''IDENTITY\_PASSWORDRESET'' (only with the password reset module active).

==== Information about password (password metadata) ====
<note tip>Supported since version CzechIdM 9.6 Quartz</note>

Information about password contains attributes that control password lifecycle like validity or block login.

Password agenda is accessible from identity detail and **Password** submenu. Global agenda for all passwords doesn't exist.

{{ :devel:documentation:identities:adm:pass003.png |}}

For accessing this agenda you will need permission ''PASSWORD\_READ''. To update available information like **password never expires** you will need permission ''PASSWORD\_UPDATE''.

<note tip>When you set **Password never expires**, the attribute "valid till" will be emptied.</note>

If you have permission to read password information only the password change form will not be shown.

{{ :devel:documentation:identities:adm:pass004.png |}}

If you have permission to change password only the agenda of password information will not be shown.

{{ :devel:documentation:identities:adm:password005.png |}}

===== Metadata about password =====
Password also contains other metadata like:

* **valid till** - start of the validity of the password. The attribute can be set by "validate password policy", or by the frontend agenda "information about password",
* **valid from** - end of the validity of the password. The attribute is set only by "validate password policy",
* **must change** - FIXME this attribute now doesn't work
* **last successful login** - date of the last successful login,
* **unsuccessful attempts** - number of unsuccessful attempts in a row,
* **block login date** - date of blocked login. The attribute is set by settings from validate password policy, or by frontend agenda information about password,
* **password never expires** - password will never have set "valid till". The option can be set by frontend agenda information about password. The option is recommend only for administrators accounts.

<note tip>Right now, only "valid till", "block login date" and "password never expires" can be edited. To set these attribute you must have permission ''PASSWORD\_UPDATE''</note>