Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

Setting password requirements

To control password requirements, add SUBSYSTEM SECURITY PASSWORD to your ctsrvr.cfg configuration file.

The default values are:

SUBSYSTEM SECURITY PASSWORD {

MINIMUM_LENGTH 15

REQUIRED_CLASSES 0

EXPIRE_IN_DAYS 0

BLOCK_OLD_PASSWORD 0

PASSWORD_HASH ORIGINAL

PASSWORD_HASH_DIFFICULTY 0

}

MINIMUM_LENGTH - Enforces a minimum length when setting a new password.

Default: 15

V13.0 and earlier default: 0

Maximum: 1024

REQUIRED_CLASSES - Enforces a minimum number of character classes from lower case, upper case, numbers, and symbols when setting a new password.

Default: 0

EXPIRE_IN_DAYS - Passwords to expire after this many days. Login attempts will fail with PWDEXP_ERR (1116). The ADMIN account is excluded from password expiration.

Default: 0 (Never expires).

BLOCK_OLD_PASSWORDS - When a non-zero number (N), password change attempts that reuse any of the N previous passwords for a user will fail with error PASSWORD_BLOCKLIST_ERR(1256).

Default: 0 (No check).

PASSWORD_HASH - In V13.0.4 onwards, allows setting the hash function used when generating new entries in the password database.

Default: ORIGINAL (SHA2-512 hash scheme)

PASSWORD_HASH_DIFFICULTY - In v13.0.4 onwards, sets a scaling factor for PASSWORD_HASH values.

Default: Depends on PASSWORD_HASH value.

Advanced notes

  • This subsystem can be specified in an encrypted server settings file using the ctcfgset utility to prevent these settings from being changed in the configuration file or at runtime.
  • If the minimum length and required classes settings are changed in the configuration file or at runtime, they do not affect existing passwords because only a hash of the password is stored. The time to expiration takes effect immediately even for existing user accounts.
  • When changing subsystem options at runtime (for example, using ctadmn), either the entire subsystem or particular subsystem options might be blocked by having been specified in a settings file. In both cases, the attempt to change the options fails with error SETO_ERR (804), even if some of the subsystem options are not blocked. If SETO_ERR occurs when specifying multiple options at runtime, check CTSTATUS.FCS for a message indicating which options are blocked and try again with just those options that are not blocked.

TOCIndex