Your suggested change has been received. Thank you.


Suggest A Change….


CipherTrust Manager Administration

Password Policy


Please Note:

Password Policy

There is one universal password policy for all users. You can configure the password policy using API playground or CLI.

This section reviews the password policies and provides CLI examples. For details on each policy, review the online "CLI Documentation".

Changing allowed password length and characters

These are the password policy settings that define the allowed password length and characters:

  • Default: Minimum length: 8

  • Default: Maximum length: 30

  • Default: Minimum number of upper cases: 1

  • Default: Minimum number of lower cases: 1

  • Default: Minimum number of digits: 1

  • Default: Minimum number of other characters: 1

To set the entire password policy

You can set the entire password policy. See the "CLI Documentation" for details on each parameter.

-t, --minlength    minimum length of the password
-z, --maxlength    maximum length of the password
-m, --minupper     minimum number of upper case letters
-w, --minlower     minimum number of lower case letters
-d, --mindig       minimum number of digits
-o, --minother     minimum number of other characters

To set the allowed password length and characters in one string:

$ ksctl users pwdpolicy update --minlength 8 --maxlength 30 --minupper 1 --minlower 1 --minother 1 --mindig 1
To update a single aspect of the password policy
$ ksctl users pwdpolicy update --maxlength 100

Changing Password Expiration

User passwords can be set to expire after the configured number of days from the last password change.

Default: Password lifetime: 0 (password never expires)

To set password to expire in 30 days
-L, --lifetime     maximum lifetime of the user password.
$ ksctl users pwdpolicy update --lifetime 30
To set password to never expire:
$ ksctl users pwdpolicy update --lifetime 0

Changing user account lockout thresholds

User's account can be temporarily locked out for a specified duration after a specified number of user authentication failure attempts. A lockout is applicable only for users in a local account, i.e. not valid for LDAP users.

Default: disabled (no lockout)

To set the user account lockout thresholds
-f, --failed-logins-lockout-thresholds List of lockout durations in minutes for failed login attempts.

In this example, values [0, 5, 30] means that the first failed login attempt, with lockout duration of zero, will not lockout the user account. The second failed login attempt will lockout the account for 5 minutes. The third and subsequent failed login attempts will lockout for 30 minutes.

$ ksctl users pwdpolicy update -f [0, 5, 30]

If you set these thresholds while a user is locked out, the active lockout period must complete before the new thresholds are applied to that user's authentication attempts.

To disable user account lockout

To disable user account lockout, set an empty array '[]'.

$ ksctl users pwdpolicy update -f []

Unlocking a user account

A user account that has been locked due to failed log in attempts can be unlocked by an Application Administrator.

To unlock a user account
$ ksctl users modify --id "local|c9161a90-0838-469b-87e9-726d8c539f3f" -u

Changing the password history

The CipherTrust Manager retains the user's password history to prevent users from reusing their passwords.

Default: Password History: 5.

  • The minimum value for history is '0'. This value prevents the users from reusing their current password.

  • With the default value of 5, the user is prevented from reusing their current password and 4 previous passwords.

  • The maximum value for password history is 10.

-b, --history      number of past passwords saved. This sets how frequently old passwords can be reused

To set the password history to the value 7, issue this command:

$ ksctl users pwdpolicy update --history 7