Password Policy
The Ciphertrust Manager provides one universal password policy for all users across all domains. This policy is known as the global policy and is applied to all users by default. However, the Ciphertrust Manager also facilitates you to create custom password policies for new or existing users. These policies can be assigned to the selected users based on the requirement.
Note
The global policy cannot be deleted.
The global policy is managed only by the members of the
admin
anduser admin
groups.
You can create/configure the password policies using the API playground or CLI.
Allowed password length and characters
These are the password policy settings that define the allowed password length and characters:
Default: Minimum length: 8
Default: Maximum length: 30
Default: Minimum number of upper cases: 1
Default: Minimum number of lower cases: 1
Default: Minimum number of digits: 1
Default: Minimum number of other characters: 1
To set the entire password policy
You can set the entire password policy. See the "CLI Documentation" for details on each parameter.
To set the allowed password length and characters in one string:
To update a single aspect of the password policy
Changing Password Expiration
User passwords can be set to expire after the configured number of days from the last password change.
Default: Password lifetime: 0 (password never expires)
To set password to expire in 30 days
To set password to never expire:
Changing user account lockout thresholds
User's account can be temporarily locked out for a specified duration after a specified number of user authentication failure attempts. A lockout is applicable only for users in a local account, i.e. not valid for LDAP users.
Default: disabled (no lockout)
To set the user account lockout thresholds
In this example, values [0, 5, 30] means that the first failed login attempt, with lockout duration of zero, will not lockout the user account. The second failed login attempt will lockout the account for 5 minutes. The third and subsequent failed login attempts will lockout for 30 minutes.
Note
If you set these thresholds while a user is locked out, the active lockout period must complete before the new thresholds are applied to that user's authentication attempts.
To disable user account lockout
To disable user account lockout, set an empty array '[]'.
Unlocking a user account
A user account that has been locked due to failed log in attempts can be unlocked by an Application Administrator.
To unlock a user account
Changing the password history
The CipherTrust Manager retains the user's password history to prevent users from reusing their passwords.
Default: Password History: 5.
The minimum value for history is '0'. This value prevents the users from reusing their current password.
With the default value of 5, the user is prevented from reusing their current password and 4 previous passwords.
The maximum value for password history is 20.
To set the password history to the value 7, issue this command:
Custom password policies
The Ciphertrust Manager allows creating multiple password policies for the users. These custom password policies can be explicitly assigned to users using the password_policy
field while creating or updating the user details.
password_policy: "custom_policy <Name of the custom policy>"
Note
The custom password policies can be managed and applied only by the members of the admin
and user admin
groups.
Example Request 1 (creating a user with custom password policy)
Example Response
Example Request 2 (assigning custom password policy to an existing user)
Example Response
To know the default values for custom password policies, refer to allowed password length and characters.
Managing custom password policies
The following operations can be performed:
Create/Get/Change/Delete custom password policies
List all password policies
For parameters details, refer to To set the entire password policy.
Creating custom password policies
To create a custom password policy, run:
Example Request
Example Response
Getting details of custom password policies
To get details of a custom password policy, run:
Example Request 1 (with policy name)
Example Response
If the policy name is not specified in the request, then the applied password policy is fetched. By default, the global password policy is applied to the users.
Example Request 2 (without policy name)
Example Response
Changing custom password policies
To change a custom password policy, run:
Example Request
Example Response
Deleting custom password policies
To delete a custom password policy, run:
Example Request
There will be no response if policy is deleted successfully.
Getting list of all password policies
To list all the password policies, run:
Example Request
Example Response