Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CipherTrust Manager Administration

Password Policy

search

Please Note:

print

Password Policy

The Ciphertrust Manager provides one universal password policy for all users across all domains. This policy is known as the global policy and is applied to all users by default. However, the Ciphertrust Manager also facilitates you to create custom password policies for new or existing users. These policies can be assigned to the selected users based on the requirement.

Note

  • The global policy cannot be deleted.

  • The global policy is managed only by the members of the admin and user admin groups.

You can create/configure the password policies using the API playground or CLI.

copy link to clipboardAllowed password length and characters

These are the password policy settings that define the allowed password length and characters:

  • Default: Minimum length: 8

  • Default: Maximum length: 30

  • Default: Minimum number of upper cases: 1

  • Default: Minimum number of lower cases: 1

  • Default: Minimum number of digits: 1

  • Default: Minimum number of other characters: 1

copy link to clipboardTo set the entire password policy

You can set the entire password policy. See the "CLI Documentation" for details on each parameter.

-f, --failed-logins-lockout-thresholds     list of lockout durations in minutes for failed login attempts.
-L, --lifetime     maximum lifetime of the user password.
-b, --history      number of past passwords saved. This sets how frequently old passwords can be reused.
-t, --minlength    minimum length of the password.
-z, --maxlength    maximum length of the password.
-m, --minupper     minimum number of upper case letters.
-w, --minlower     minimum number of lower case letters.
-d, --mindig       minimum number of digits.
-o, --minother     minimum number of other characters.
    --pwdchngdays  maximum lifetime of the password in days.

To set the allowed password length and characters in one string:

ksctl users pwdpolicy update --minlength 8 --maxlength 30 --minupper 1 --minlower 1 --minother 1 --mindig 1

copy link to clipboardTo update a single aspect of the password policy

ksctl users pwdpolicy update --maxlength 100

copy link to clipboardChanging Password Expiration

User passwords can be set to expire after the configured number of days from the last password change.

Default: Password lifetime: 0 (password never expires)

copy link to clipboardTo set password to expire in 30 days

-L, --lifetime     maximum lifetime of the user password.
ksctl users pwdpolicy update --lifetime 30

copy link to clipboardTo set password to never expire:

ksctl users pwdpolicy update --lifetime 0

copy link to clipboardChanging user account lockout thresholds

User's account can be temporarily locked out for a specified duration after a specified number of user authentication failure attempts. A lockout is applicable only for users in a local account, i.e. not valid for LDAP users.

Default: disabled (no lockout)

copy link to clipboardTo set the user account lockout thresholds

-f, --failed-logins-lockout-thresholds List of lockout durations in minutes for failed login attempts.

In this example, values [0, 5, 30] means that the first failed login attempt, with lockout duration of zero, will not lockout the user account. The second failed login attempt will lockout the account for 5 minutes. The third and subsequent failed login attempts will lockout for 30 minutes.

ksctl users pwdpolicy update -f [0, 5, 30]

Note

If you set these thresholds while a user is locked out, the active lockout period must complete before the new thresholds are applied to that user's authentication attempts.

copy link to clipboardTo disable user account lockout

To disable user account lockout, set an empty array '[]'.

ksctl users pwdpolicy update -f []

copy link to clipboardUnlocking a user account

A user account that has been locked due to failed log in attempts can be unlocked by an Application Administrator.

copy link to clipboardTo unlock a user account

ksctl users modify --id "local|c9161a90-0838-469b-87e9-726d8c539f3f" -u

copy link to clipboardChanging the password history

The CipherTrust Manager retains the user's password history to prevent users from reusing their passwords.

Default: Password History: 5.

  • The minimum value for history is '0'. This value prevents the users from reusing their current password.

  • With the default value of 5, the user is prevented from reusing their current password and 4 previous passwords.

  • The maximum value for password history is 20.

-b, --history      number of past passwords saved. This sets how frequently old passwords can be reused

To set the password history to the value 7, issue this command:

ksctl users pwdpolicy update --history 7

copy link to clipboardCustom password policies

The Ciphertrust Manager allows creating multiple password policies for the users. These custom password policies can be explicitly assigned to users using the password_policy field while creating or updating the user details.

password_policy: "custom_policy <Name of the custom policy>"

Note

The custom password policies can be managed and applied only by the members of the admin and user admin groups.

Example Request 1 (creating a user with custom password policy)

ksctl users create --username "testuser1" --password-policy custom_policy --pword "pass@A123"

Example Response

{
    "created_at": "2023-02-21T04:48:40.447587Z",
    "email": "testuser1@local",
    "last_login": null,
    "logins_count": 0,
    "name": "testuser1",
    "nickname": "testuser1",
    "updated_at": "2023-02-21T04:48:40.447587Z",
    "user_id": "local|d943506b-d3f9-4774-b5c3-c812c2eb4b9c",
    "username": "testuser1",
    "failed_logins_count": 0,
    "account_lockout_at": null,
    "failed_logins_initial_attempt_at": null,
    "last_failed_login_at": null,
    "password_changed_at": "2023-02-21T04:48:40.432542Z",
    "password_change_required": false,
    "certificate_subject_dn": "",
    "enable_cert_auth": false,
    "auth_domain": "00000000-0000-0000-0000-000000000000",
    "login_flags": {
        "prevent_ui_login": false
    },
    "allowed_auth_methods": [
        "password"
    ],
    "allowed_client_types": [
        "unregistered",
        "public",
        "confidential"
    ],
    "password_policy": "custom_policy"
}

Example Request 2 (assigning custom password policy to an existing user)

ksctl users modify --id "local|d943506b-d3f9-4774-b5c3-c812c2eb4b9c" --password-policy test_policy --pword "Pass@A123"

Example Response

{
    "created_at": "2023-02-21T04:48:40.447587Z",
    "email": "testuser1@local",
    "last_login": null,
    "logins_count": 0,
    "name": "testuser1",
    "nickname": "testuser1",
    "updated_at": "2023-02-21T05:05:50.564412Z",
    "user_id": "local|d943506b-d3f9-4774-b5c3-c812c2eb4b9c",
    "username": "testuser1",
    "failed_logins_count": 0,
    "account_lockout_at": null,
    "failed_logins_initial_attempt_at": null,
    "last_failed_login_at": null,
    "password_changed_at": "2023-02-21T05:05:50.562118Z",
    "password_change_required": false,
    "certificate_subject_dn": "",
    "enable_cert_auth": false,
    "login_flags": {
        "prevent_ui_login": false
    },
    "allowed_auth_methods": [
        "password"
    ],
    "allowed_client_types": [
        "unregistered",
        "public",
        "confidential"
    ],
    "password_policy": "test_policy"
}

To know the default values for custom password policies, refer to allowed password length and characters.

copy link to clipboardManaging custom password policies

The following operations can be performed:

  • Create/Get/Change/Delete custom password policies

  • List all password policies

For parameters details, refer to To set the entire password policy.

copy link to clipboardCreating custom password policies

To create a custom password policy, run:

Example Request

ksctl users pwdpolicy create --policy-name "custom_policy" --minupper 1 --minlower 1 --mindig 1 --minother 0 --minlength 8 --maxlength 30 --lifetime 30 --failed-logins-lockout-thresholds "[0,0,30]" --history 0 --pwdchngdays 1

Example Response

{
 "inclusive_min_upper_case": 1,
 "inclusive_min_lower_case": 1,
 "inclusive_min_digits": 1,
 "inclusive_min_other": 0,
 "inclusive_min_total_length": 8,
 "inclusive_max_total_length": 30,
 "password_history_threshold": 0,
 "failed_logins_lockout_thresholds": [
  0,
  0,
  30
 ],
 "password_lifetime": 30,
 "policy_name": "custom_policy",
 "password_change_min_days": 1
}

copy link to clipboardGetting details of custom password policies

To get details of a custom password policy, run:

Example Request 1 (with policy name)

ksctl users pwdpolicy get --policy-name custom_policy

Example Response

{
 "inclusive_min_upper_case": 1,
 "inclusive_min_lower_case": 1,
 "inclusive_min_digits": 1,
 "inclusive_min_other": 0,
 "inclusive_min_total_length": 8,
 "inclusive_max_total_length": 30,
 "password_history_threshold": 0,
 "failed_logins_lockout_thresholds": [
  0,
  0,
  30
 ],
 "password_lifetime": 30,
 "policy_name": "custom_policy",
 "password_change_min_days": 1
}

If the policy name is not specified in the request, then the applied password policy is fetched. By default, the global password policy is applied to the users.

Example Request 2 (without policy name)

ksctl users pwdpolicy get

Example Response

{
 "inclusive_min_upper_case": 1,
 "inclusive_min_lower_case": 1,
 "inclusive_min_digits": 1,
 "inclusive_min_other": 0,
 "inclusive_min_total_length": 8,
 "inclusive_max_total_length": 30,
 "password_history_threshold": 0,
 "failed_logins_lockout_thresholds": [
  0,
  0,
  30
 ],
 "password_lifetime": 30,
 "policy_name": "custom_policy",
 "password_change_min_days": 1
}

copy link to clipboardChanging custom password policies

To change a custom password policy, run:

Example Request

ksctl users pwdpolicy update --policy-name "custom_policy" --minupper 2 --minlower 2 --mindig 2 --minother 2 --minlength 20 --maxlength 20 --lifetime 0 --failed-logins-lockout-thresholds "[0,5,30]" --history 10 --pwdchngdays 30

Example Response

{
    "inclusive_min_upper_case": 2,
    "inclusive_min_lower_case": 2,
    "inclusive_min_digits": 2,
    "inclusive_min_other": 2,
    "inclusive_min_total_length": 20,
    "inclusive_max_total_length": 20,
    "password_history_threshold": 10,
    "failed_logins_lockout_thresholds": [
        0,
        5,
        30
    ],
    "password_lifetime": 0,
    "policy_name": "custom_policy",
    "password_change_min_days": 30
}

copy link to clipboardDeleting custom password policies

To delete a custom password policy, run:

Example Request

ksctl users pwdpolicy delete --policy-name custom_policy

There will be no response if policy is deleted successfully.

copy link to clipboardGetting list of all password policies

To list all the password policies, run:

Example Request

ksctl users pwdpolicy list

Example Response

{
    "skip": 0,
    "limit": 10,
    "total": 2,
    "resources": [
        {
            "inclusive_min_upper_case": 1,
            "inclusive_min_lower_case": 1,
            "inclusive_min_digits": 1,
            "inclusive_min_other": 0,
            "inclusive_min_total_length": 8,
            "inclusive_max_total_length": 30,
            "password_history_threshold": 0,
            "failed_logins_lockout_thresholds": [
                0,
                0,
                30
            ],
            "password_lifetime": 30,
            "policy_name": "custom_policy",
            "password_change_min_days": 1
        },
        {
            "inclusive_min_upper_case": 1,
            "inclusive_min_lower_case": 1,
            "inclusive_min_digits": 1,
            "inclusive_min_other": 1,
            "inclusive_min_total_length": 8,
            "inclusive_max_total_length": 30,
            "password_history_threshold": 5,
            "failed_logins_lockout_thresholds": [
                0,
                0,
                0,
                0,
                1
            ],
            "password_lifetime": 0,
            "policy_name": "global",
            "password_change_min_days": 0
        }
    ]
}

On this page