11.7 Enforcing banned words in PINs

If you set the Enforce Banned Words option in the credential profile, MyID prevents cardholders from using banned words as part of their device PINs.

The banned words include dynamic words (for example, the device serial number, or the person's logon name) and a static word list (for example, password or admin).

This list of banned words is enforced when setting the PIN through MyID using the following operations:

Client	Operation
MyID Desktop	Assisted Activation
MyID Desktop	Batch Collect Card
MyID Desktop	Change PIN
MyID Desktop	Collect Card
MyID Desktop	Reset Card PIN
Self-Service App	Activate Card
Self-Service App	Change My PIN
Self-Service App	Collect My Card
Self-Service App	Reset My PIN
Self-Service Kiosk	Activate Card
Self-Service Kiosk	Change My PIN
Self-Service Kiosk	Collect My Card
Self-Service Kiosk	Reset My PIN

The cardholder can still change their PIN to include words from the banned list using other methods; for example, the Windows Change PIN feature, smart card middleware utilities, and legacy MyID workflows not listed in the table above, such as Issue Card, Reprovision Card, Reprovision My Card, and so on. You are recommended to prevent access to these features to avoid cardholders circumventing the rules.

The list of banned words is also ignored when using client or server generated PINs, and when issuing mobile or FIDO devices.

11.7.1 Dynamic word list

By default, when you set the Enforce Banned Words option in the credential profile, MyID prevents the cardholder from using the following values:

• From the person's user account:

  • UserAccountID

  • LogonName

  • EmployeeID

  • FirstName

  • LastName

• From the device information:

  • DeviceID

  • HIDSerialNumber

  • SerialNumber

These are controlled by the following views in the MyID database:

• vBannedUser – contains the user attributes you want to ban.

• vBannedDevice – contains the device attributes you want to ban.

These views are configured by MyID Project Designer. If you edit them directly, when you upgrade MyID, your changes are overwritten, as these views are created on installation or upgrade, so this is not recommended. Contact your account manager for advice on using MyID Project Designer to amend and maintain these views.

11.7.2 Static word list

The word list is stored on the MyID web services server in the PinPolicyBannedWordList.txt file; by default, this file is installed to the following location:

C:\Program Files\Intercede\MyID\SSP\MyIDProcessDriver\Content\

You can edit the contents of this text file to add or remove words that you want to prevent people from incorporating in their PINs.

Note: If you have multiple web services servers, make sure you synchronize the contents of this file on each server.

By default, the file contains the following words:

password

1234

5678

admin

administrator

You are recommended to publish your list of banned words to your cardholders.

Note: The word list file is created on installation or upgrade. You must take a backup of this file before upgrading MyID and restore it once the upgrade is complete.

11.7.3 Cache the word list

If you add a large number of words to this file, you may want to configure MyID to cache the word list on the client. To do so, add the following to the myid.config file:

<add key="CacheBannedWordsList" value="true"/>

By default, the myid.config file is in the following location:

C:\Program Files\Intercede\MyID\SSP\MyIDProcessDriver\

Note: MyID clients provided with version 12.5 onwards support the banned words feature, but MyID clients provided with 12.6 onwards support caching the word list.