Password Policy
CipherTrust Manager local users have password policies. The CipherTrust Manager provides one universal password policy for all local users across all domains. This policy is known as the global policy and is applied to all users by default.
Note
The global policy cannot be deleted.
Password policies do not apply to users managed through an LDAP or OIDC connection.
However, the CipherTrust Manager also facilitates members of the admin and user admingroups to create custom password policies for new or existing users. These policies can be assigned to the selected users based on the requirement.
Custom policies are specific to the domain they are created in. You can only view, assign, or edit a custom policy if you are logged into its domain.
Allowed password length and characters
These are the password policy settings that define the allowed password length and characters:
Default: Minimum number of characters: 8
Default: Maximum number of characters: 30
Default: Minimum number of uppercase characters: 1
Default: Minimum number of lowercase characters: 1
Default: Minimum number of digits: 1
Default: Minimum number of other characters: 1
"Other characters" includes any character supported by the user's keyboard besides letters and digits. Regional keyboard characters, such as currency symbols, are allowed.
Password history
The CipherTrust Manager retains the user's password history to prevent users from reusing their passwords.
Default: Password History: 5.
The minimum value for history is '0'. This value prevents the users from reusing their current password.
With the default value of 5, the user is prevented from reusing their current password and 4 previous passwords.
The maximum value for password history is 20.
User account lockout thresholds
User's account can be temporarily locked out for a specified duration after a specified number of user authentication failure attempts. By default, there is no lockout. A lockout is applicable only for users in a local account. It is not valid for LDAP or OIDC users.
Password Expiration
User passwords can be set to expire after the configured number of days from the last password change. By default, the password never expires, indicated with a password lifetime set to 0.
In addition, you can set a password expiry reminder during a defined period of time.With this setting, when a user's password is close to expiry, a banner displays on user login to the CipherTrust Manager GUI. The banner indicates the number of days until password expiry.
If an SMTP server is configured and the user has a non-default, valid email address, CipherTrust Manager also emails a password expiry reminder to the user. The timing and frequency of the email reminders depends on the user password expiry scheduled job. By default, the scheduled job sends emails every day at 12 AM UTC. The scheduled job attempts to send emails to every local user in every domain that has these password policy settings, that is within the reminder period before password expiry. If the job cannot send an email to a user, it generates a server record in the user's domain. A record is generated, for example, when the email is undeliverable due to the user having an invalid email address.
There are two components to the password expiry reminder setting: enabling the reminder, and if enabled, setting the time period for CipherTrust Manager to display the banner and send emails. In the UI, the time period is referred to as Days from expiration date. Valid values for this time period are between 0 and 30, defaulting to 14 for new password policies. A value of 0 means that no reminder is displayed or sent.
Note
The password expiry reminder feature was introduced in CipherTrust Manager 2.15. If you upgrade from a CipherTrust Manager version lower than 2.15, existing password policies are given a Days from expiration date value of 0.
Password Policy Management through the Web Console UI
You can create and delete custom password policies through the UI. You can also edit several settings of both the global password policy and custom password policies, and assign a password policy to a user.
Edit Valid Password Values
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies are domain-specific, you might have to enable I am a domain user and specify a Home Domain as you log in, to access these resources in a non-root domain.
Navigate to Admin Settings > Password Policies.
Click the name of the policy you wish to view or edit.
Edit the following available settings as desired.
Minimum number of characters
Minimum lowercase characters
Minimum number of digits
Maximum number of characters
Minimum uppercase characters
Minimum number of special characters - This includes any character supported by the user's keyboard besides letters and digits. Regional keyboard characters, such as currency symbols, are allowed.
Unlimited characters - when enabled, you cannot set a maximum number of characters.
Password History Threshold - determines the number of previous passwords that a user cannot reuse. See password history for details and examples.
(Optional) Enter a test password in the Test Password field to validate potential passwords.
Click Update Password Policy to apply the changes.
Edit Account Lockout Settings
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies are domain-specific, you might have to enable I am a domain user and specify a Home Domain as you log in, to access these resources in a non-root domain.
Navigate to Admin Settings > Password Policies.
Click the name of the policy you wish to view or edit.
Edit the following available settings as desired.
Disable account lockout
Number of failed attempts allowed before lockout
Lockout time in minutes
Add Lockout - This setting allows you to specify different lockout durations in minutes for subsequent failed attempts. For example, if the number of failed attempts allowed before lockout is 4, and the lockout time for the 5th failed attempt is 1 minute, you can add another lockout for the 6th attempt, with a different duration. Click the x next to the last Lockout to remove it. There is no limit on the number of lockout durations.
Click Update Password Policy to apply the changes.
Edit Password Expiry Settings
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies are domain-specific, you might have to enable I am a domain user and specify a Home Domain as you log in, to access these resources in a non-root domain.
Navigate to Admin Settings > Password Policies.
Click the name of the policy you wish to view or edit.
Edit the following available settings as desired.
Days before password expire - 0 means passwords never expire.
Send password expiry reminder - Enable to email periodic password expiry reminders reminders to users with this password policy, and to display a banner on the CipherTrust Manager GUI during specified time period.
Note
An SMTP server must be configured for CipherTrust Manager to send emails. As well, the timing and frequency of the email reminders depends on the user password expiry scheduled job. By default, emails are sent every day at 12 AM UTC.
Days from expiration date - This setting indicates when CipherTrust Manager will start displaying and sending password expiry reminders. This value must be lower than the Days before password expiry. Valid values are between 0 and 30, defaulting to 14 for new password policies.
Click Update Password Policy to apply the changes.
Edit Allowed Password Change Frequency
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies are domain-specific, you might have to enable I am a domain user and specify a Home Domain as you log in, to access these resources in a non-root domain.
Navigate to Admin Settings > Password Policies.
Click the name of the policy you wish to view or edit.
Edit the Change password in minimum days value. This indicates the minimum amount of time that must pass between a user's password changes.
Click Update Password Policy to apply the changes.
Create a Custom Password Policy
The only required value to create a password policy is a name. If desired, you can keep the defaults for allowed password length and characters, password history (5 passwords), account lockout (no lockout), password expiration (no expiry), or time between password changes (1 day).
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies are domain-specific, ensure you log in to the domain where you wish to access and apply the new custom password policy in the future. To create a custom policy in a non-root domain, enable I am a domain user and specify a Home Domain as you log in.
Navigate to Admin Settings > Password Policies.
Click + Create Password Policy.
Enter a Password Policy Name.
Adjust the valid password values as desired.
Minimum number of characters
Minimum lowercase characters
Minimum number of digits
Maximum number of characters
Minimum uppercase characters
Minimum number of special characters - This includes any character supported by the user's keyboard besides letters and digits. Regional keyboard characters, such as currency symbols, are allowed.
Unlimited characters - when enabled, you cannot set a maximum number of characters.
Password History Threshold - determines the number of previous passwords that a user cannot reuse. See password history for details and examples.
(Optional) Enter a test password in the Test Password field to validate potential passwords.
Adjust Account Lockout Settings as desired.
Enable account lockout by unchecking the Disable account lockout checkbox.
Number of failed attempts allowed before lockout
Lockout time in minutes
Add Lockout - This setting allows you to specify different lockout durations in minutes for subsequent failed attempts. For example, if the number of failed attempts allowed before lockout is 4, and the lockout time for the 5th failed attempt is 1 minute, you can add another lockout for the 6th attempt, with a different duration. Click the x next to the last Lockout to remove it. There is no limit on the number of lockout durations.
Adjust password expiry settings, if desired.
Days before password expire - 0 means passwords never expire
Send password expiry reminder - Enable to email periodic password expiry reminders reminders to users with this password policy, and to display a banner on the CipherTrust Manager GUI during specified time period.
Note
An SMTP server must be configured for CipherTrust Manager to send emails. As well, the timing and frequency of the email reminders depends on the user password expiry scheduled job. By default, emails are sent every day at 12 AM UTC.
Days from expiration date - This setting indicates when CipherTrust Manager will start displaying and sending password expiry reminders. This value must be lower than the Days before password expiry. Valid values are between 0 and 30, defaulting to 14 for new password policies.
Edit the Change password in minimum days value, if desired. This indicates the minimum amount of time that must pass between a user's password changes.
Click Create Password Policy to finalize.
Delete a Custom Password Policy
Note
You can only delete custom password policies. You cannot delete the global password policy.
After you delete a custom password policy, all users with the policy are re-assigned to the global password policy.
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies are domain-specific, you might have to enable I am a domain user and specify a Home Domain as you log in, to access these resources in a non-root domain.
Navigate to Admin Settings > Password Policies.
Find the name of the custom password policy, click the associated overflow icon (
), and select Delete.A confirmation pops up.
Read the confirmation, and click Delete.
Assign a Password Policy to a User
Local users are assigned a password policy on creation through the Password Policy setting. By default, they are assigned the global password policy.
You can re-assign an existing user to a different password policy. This requires a password change for the user, to ensure the password conforms to the assigned password policy.
Log into CipherTrust Manager GUI as an Admin with user management permissions.
Note
As custom password policies and users are domain-specific, you might have to enable I am a domain user and specify a Home Domain as you log in, to access these resources in a non-root domain.
Navigate to Access Management > Users.
Click the desired username. Use the search function to find a username, if needed.
Expand Products and Permissions
Select the desired Password Policy from the dropdown menu.
Set a Password and Password Match. The new password must conform to the new password policy.
Click Reset to assign the password policy and update the user's password.
Provide the new password to the user.
ksctl Password Policy Management
All password policy operations are also available through the ksctl CLI.
To set the entire password policy
You can set the entire password policy. See the "CLI Guide" embedded in CipherTrust Manager for details on each parameter.
-f, --failed-logins-lockout-thresholds list of lockout durations in minutes for failed login attempts.
-L, --lifetime maximum lifetime of the user password.
-b, --history number of past passwords saved. This sets how frequently old passwords can be reused.
-t, --minlength minimum length of the password.
-z, --maxlength maximum length of the password.
-m, --minupper minimum number of upper case letters.
-w, --minlower minimum number of lower case letters.
-d, --mindig minimum number of digits.
-o, --minother minimum number of other characters.
--pwdchngdays maximum lifetime of the password in days.
To set the allowed password length and characters in one string:
ksctl users pwdpolicy update --minlength 8 --maxlength 30 --minupper 1 --minlower 1 --minother 1 --mindig 1
To update a single aspect of the password policy
ksctl users pwdpolicy update --maxlength 100
To set password to expire in 30 days
-L, --lifetime maximum lifetime of the user password.
ksctl users pwdpolicy update --lifetime 30
To set password to never expire
ksctl users pwdpolicy update --lifetime 0
To set the user account lockout thresholds
-f, --failed-logins-lockout-thresholds List of lockout durations in minutes for failed login attempts.
In this example, values [0, 5, 30] means that the first failed login attempt, with lockout duration of zero, will not lockout the user account. The second failed login attempt will lockout the account for 5 minutes. The third and subsequent failed login attempts will lockout for 30 minutes.
ksctl users pwdpolicy update -f [0, 5, 30]
Note
If you set these thresholds while a user is locked out, the active lockout period must complete before the new thresholds are applied to that user's authentication attempts.
To disable user account lockout
To disable user account lockout, set an empty array '[]'.
ksctl users pwdpolicy update -f []
To unlock a user account
A user account that has been locked due to failed log in attempts can be unlocked by an Application Administrator.
ksctl users modify --id "local|c9161a90-0838-469b-87e9-726d8c539f3f" -u
To change the password history
-b, --history number of past passwords saved. This sets how frequently old passwords can be reused
To set the password history to the value 7, issue this command:
ksctl users pwdpolicy update --history 7
Assigning custom password policies
The CipherTrust Manager allows creating multiple password policies for the users. These custom password policies can be explicitly assigned to users using the password_policy field while creating or updating the user details.
password_policy: "custom_policy <Name of the custom policy>"
Example Request 1 (creating a user with custom password policy)
ksctl users create --username "testuser1" --password-policy custom_policy --pword "pass@A123"
Example Response
{
"created_at": "2023-02-21T04:48:40.447587Z",
"email": "testuser1@local",
"last_login": null,
"logins_count": 0,
"name": "testuser1",
"nickname": "testuser1",
"updated_at": "2023-02-21T04:48:40.447587Z",
"user_id": "local|d943506b-d3f9-4774-b5c3-c812c2eb4b9c",
"username": "testuser1",
"failed_logins_count": 0,
"account_lockout_at": null,
"failed_logins_initial_attempt_at": null,
"last_failed_login_at": null,
"password_changed_at": "2023-02-21T04:48:40.432542Z",
"password_change_required": false,
"certificate_subject_dn": "",
"enable_cert_auth": false,
"auth_domain": "00000000-0000-0000-0000-000000000000",
"login_flags": {
"prevent_ui_login": false
},
"allowed_auth_methods": [
"password"
],
"allowed_client_types": [
"unregistered",
"public",
"confidential"
],
"password_policy": "custom_policy"
}
Example Request 2 (assigning custom password policy to an existing user)
ksctl users modify --id "local|d943506b-d3f9-4774-b5c3-c812c2eb4b9c" --password-policy test_policy --pword "Pass@A123"
Example Response
{
"created_at": "2023-02-21T04:48:40.447587Z",
"email": "testuser1@local",
"last_login": null,
"logins_count": 0,
"name": "testuser1",
"nickname": "testuser1",
"updated_at": "2023-02-21T05:05:50.564412Z",
"user_id": "local|d943506b-d3f9-4774-b5c3-c812c2eb4b9c",
"username": "testuser1",
"failed_logins_count": 0,
"account_lockout_at": null,
"failed_logins_initial_attempt_at": null,
"last_failed_login_at": null,
"password_changed_at": "2023-02-21T05:05:50.562118Z",
"password_change_required": false,
"certificate_subject_dn": "",
"enable_cert_auth": false,
"login_flags": {
"prevent_ui_login": false
},
"allowed_auth_methods": [
"password"
],
"allowed_client_types": [
"unregistered",
"public",
"confidential"
],
"password_policy": "test_policy"
}
To know the default values for custom password policies, refer to allowed password length and characters.
Managing custom password policies
The following operations can be performed:
Create/Get/Change/Delete custom password policies
List all password policies
For parameters details, refer to To set the entire password policy.
Creating custom password policies
To create a custom password policy, run:
Example Request
ksctl users pwdpolicy create --policy-name "custom_policy" --minupper 1 --minlower 1 --mindig 1 --minother 0 --minlength 8 --maxlength 30 --lifetime 30 --failed-logins-lockout-thresholds "[0,0,30]" --history 0 --pwdchngdays 1
Example Response
{
"inclusive_min_upper_case": 1,
"inclusive_min_lower_case": 1,
"inclusive_min_digits": 1,
"inclusive_min_other": 0,
"inclusive_min_total_length": 8,
"inclusive_max_total_length": 30,
"password_history_threshold": 0,
"failed_logins_lockout_thresholds": [
0,
0,
30
],
"password_lifetime": 30,
"policy_name": "custom_policy",
"password_change_min_days": 1
}
Getting details of custom password policies
To get details of a custom password policy, run:
Example Request 1 (with policy name)
ksctl users pwdpolicy get --policy-name custom_policy
Example Response
{
"inclusive_min_upper_case": 1,
"inclusive_min_lower_case": 1,
"inclusive_min_digits": 1,
"inclusive_min_other": 0,
"inclusive_min_total_length": 8,
"inclusive_max_total_length": 30,
"password_history_threshold": 0,
"failed_logins_lockout_thresholds": [
0,
0,
30
],
"password_lifetime": 30,
"policy_name": "custom_policy",
"password_change_min_days": 1
}
If the policy name is not specified in the request, then the applied password policy is fetched. By default, the global password policy is applied to the users.
Example Request 2 (without policy name)
ksctl users pwdpolicy get
Example Response
{
"inclusive_min_upper_case": 1,
"inclusive_min_lower_case": 1,
"inclusive_min_digits": 1,
"inclusive_min_other": 0,
"inclusive_min_total_length": 8,
"inclusive_max_total_length": 30,
"password_history_threshold": 0,
"failed_logins_lockout_thresholds": [
0,
0,
30
],
"password_lifetime": 30,
"policy_name": "custom_policy",
"password_change_min_days": 1
}
Changing custom password policies
To change a custom password policy, run:
Example Request
ksctl users pwdpolicy update --policy-name "custom_policy" --minupper 2 --minlower 2 --mindig 2 --minother 2 --minlength 20 --maxlength 20 --lifetime 0 --failed-logins-lockout-thresholds "[0,5,30]" --history 10 --pwdchngdays 30
Example Response
{
"inclusive_min_upper_case": 2,
"inclusive_min_lower_case": 2,
"inclusive_min_digits": 2,
"inclusive_min_other": 2,
"inclusive_min_total_length": 20,
"inclusive_max_total_length": 20,
"password_history_threshold": 10,
"failed_logins_lockout_thresholds": [
0,
5,
30
],
"password_lifetime": 0,
"policy_name": "custom_policy",
"password_change_min_days": 30
}
Deleting custom password policies
To delete a custom password policy, run:
Example Request
ksctl users pwdpolicy delete --policy-name custom_policy
There will be no response if policy is deleted successfully.
Getting list of all password policies
To list all the password policies, run:
Example Request
ksctl users pwdpolicy list
Example Response
{
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"inclusive_min_upper_case": 1,
"inclusive_min_lower_case": 1,
"inclusive_min_digits": 1,
"inclusive_min_other": 0,
"inclusive_min_total_length": 8,
"inclusive_max_total_length": 30,
"password_history_threshold": 0,
"failed_logins_lockout_thresholds": [
0,
0,
30
],
"password_lifetime": 30,
"policy_name": "custom_policy",
"password_change_min_days": 1
},
{
"inclusive_min_upper_case": 1,
"inclusive_min_lower_case": 1,
"inclusive_min_digits": 1,
"inclusive_min_other": 1,
"inclusive_min_total_length": 8,
"inclusive_max_total_length": 30,
"password_history_threshold": 5,
"failed_logins_lockout_thresholds": [
0,
0,
0,
0,
1
],
"password_lifetime": 0,
"policy_name": "global",
"password_change_min_days": 0
}
]
}
