Content
- Introduction
- Default Password Intelligence Policy
- Enforcement Actions
- Visual Walk-through
- User login Flows
- Change Password Flows
- Monitoring with Reports
- Conclusion
- Authors
Introduction
In an era where cyber threats are constantly evolving, password security remains a critical line of defence. Weak or compromised passwords continue to be a leading cause of data breaches. IBM Verify addresses this challenge with its Password Intelligence feature—an advanced capability that helps organizations enforce strong password policies, detect risky credentials, and guide users toward better password hygiene.
This blog explores how to configure and monitor Password Intelligence within your IBM Verify tenant, including enforcement options, integration with IBM X-Force, and how to leverage reporting tools for actionable insights.
What is IBM Verify?
IBM Verify is a cloud-based digital identity verification solution that helps organizations securely confirm user identities. It combines identity proofing, authentication, and verification methods to enhance security and prevent fraud in online processes. By integrating these capabilities, IBM Verify ensures that only legitimate users gain access to sensitive systems and data—making it a critical component of modern identity and access management (IAM) strategies.
Prerequisites
Before configuring Password Intelligence, ensure the following prerequisites are met:
Default Password Intelligence Policy
Within the default policy, administrators can enable two key enforcement mechanisms:
- ✅ IBM X-Force
- ✅ Custom List
Once enabled, these mechanisms influence user login flows by enforcing password strength and integrity.
Note: Currently, Password Intelligence enforcement is supported only for users in the Cloud Directory identity source.
Enforcement Actions
For each source (IBM X-Force or Custom List), you can choose:
- 🔍 Audit
- ⚠️ Warn users with a message
- 🚫 Prevent login and redirect to change password
Details:
-
Audit
- This mode silently logs weak or compromised passwords during login attempts.
- Useful for monitoring without disrupting the user experience.
-
Warn Users with a Message
- Encourages proactive password changes without blocking access.
-
Prevent Login and Redirect to Change Password
- The most stringent enforcement.
- Users are blocked from logging in until they update their password to meet policy requirements.
Visual Walk-through
Under a tenant, this feature can be accessed via admin portal:
Go to Security → Password management → Intelligence list
Below are the two key enforcement mechanisms
User Login Flows
Under each mechanism, below are the password enforcement actions
Similarly, for Custom list enforcement
Here is a kind of sample csv file which needs to be uploaded under this option
Change Password Flows
Just like User Login Flows, the Change Password Flow also supports enforcement through Password Intelligence. This ensures that users are prevented from setting weak or compromised passwords
Enforcement Actions (Same as Login Flow)
✅ Example: Prevent Password Change
If a user attempts to set a password that matches an entry in the IBM X-Force or Custom List, and the enforcement is set to Prevent, they will be stopped and prompted to choose a more secure password before proceeding.
End user will be prompted to change password as below
Monitoring with Reports
To complement enforcement actions, IBM Verify provides detailed reporting under:
Reporting & Diagnostics → Reports → Password Intelligence → View Report
The trends chart provides a time-based view of password enforcement events.
This level of detail allows security teams to:
- Track when and where weak or compromised passwords are used
- Identify users frequently triggering warnings or blocks
- Correlate login attempts with geographic and IP data
Conclusion
Password Intelligence in IBM Verify is more than just a policy—it's a proactive approach to securing user identities. By leveraging IBM X-Force insights, custom enforcement rules, and detailed reporting, organizations can detect weak passwords, guide users toward stronger credentials, and reduce the risk of breaches. Whether you're auditing, warning, or enforcing password changes, this feature empowers you to strike the right balance between security and user experience.
Authors: