Password Policy
This guide provides instructions on how to configure and enforce password complexity and password rotation policies.
Regardless of whether the password policy is enabled, no password can be an empty string or null. |
Password complexity rules
TigerGraph enables administrators to set rules for the structure of password strings, to increase security:
-
Set the minimum password length (between 1 and 128 characters)
-
Require at least one uppercase character
-
Require at least one lowercase character
-
Require at least one Digit
-
Require at least 1 special character:
!
,"
,#
,$
,%
,&
,'
,(
,)
,*
,+
,,
,-
,.
,/
,:
,;
,<
,=
,>
,?
,@
,[
,]
,^
,_
,`
,{
,|
,}
,~
Password rotation rules
There are also rules for how long a password may be used before it must be changed:
-
How long the password remains valid after it has been updated
-
The minimum number of unique passwords required before a previously used password can be reused
Enable/Disable password policy
When the password policy is enabled, passwords that do not meet the policy requirements cannot be used for creating or altering user passwords.
Enabling the password policy does not prevent existing users with passwords that do not meet the requirements from logging in.
To enable the password policy, run the following commands:
$ gadmin config set Security.UserPasswordPolicy.Enable true (1)
$ gadmin config set Security.ACLPasswordPolicy.Enable true (2)
$ gadmin config apply
$ gadmin restart gsql
1 | Setting Security.UserPasswordPolicy.Enable to true applies the password policy to passwords for TigerGraph database users. |
2 | Setting Security.ACLPasswordPolicy.Enable to true applies the password policy to ACL passwords. |
If the password policy is disabled, a user can set their password without following these rules.
To disable the password policy, run the following commands:
$ gadmin config set Security.UserPasswordPolicy.Enable false
$ gadmin config apply
$ gadmin restart gsql
Configure password rules
To configure the complexity rules, use the 'gadmin config' command to set the desired values. Here are the configuration about the complexity rules.
Policy rule | Description | Default | Value Range |
---|---|---|---|
|
Enable/disable the password policy |
false |
true/false |
|
Min length |
8 |
[1,128] |
|
Require at Least One Uppercase Character |
true |
true/false |
|
Require at Least One Lowercase Character |
true |
true/false |
|
Require at Least One Digit |
true |
true/false |
|
Require at Least One special character . |
true |
true/false |
|
How long the password remains valid after it has been updated |
90 |
[1, 2147483647] |
|
What is the minimum number of unique passwords required before a previously used password can be reused |
5 |
[1, 20] |
Here are examples of password policy configuration:
$ gadmin config set Security.UserPasswordPolicy.PasswordReuseThreshold 2
$ gadmin config set Security.UserPasswordPolicy.MinLength 8
$ gadmin config set Security.UserPasswordPolicy.UppercaseLetterRequired true
$ gadmin config set Security.UserPasswordPolicy.LowercaseLetterRequired true
$ gadmin config set Security.UserPasswordPolicy.DigitRequired true
$ gadmin config set Security.UserPasswordPolicy.SpecialCharacterRequired true
$ gadmin config set Security.UserPasswordPolicy.ExpirationDay 2
$ gadmin config set Security.UserPasswordPolicy.PasswordReuseThreshold 2
$ gadmin config apply
$ gadmin restart gsql
Based on the above configuration, here are some usage examples:
Case 1: Password does not meet policy requirements
-
Attempt to set the password to
"abc!1234"
, which doesn’t follow the policySecurity.UserPasswordPolicy.UppercaseLetterRequired
because this configured value is true.
Case 2: The minimum number of unique passwords required before a previously used password can be reused not reached
-
The
Security.UserPasswordPolicy.PasswordReuseThreshold
is configured as 2. If the user first sets the password to "Xiaoming@1001" and then changes it to "Xiaoming@1002", these two operations will be successful as they follow the policy. However, if the password is changed back to "Xiaoming@1001", it will fail because it doesn’t follow the policy. Since after setting the password to "Xiaoming@1001", there is only 1 change (from "Xiaoming@1001" to "Xiaoming@1002").
Case 3: Password expiration is approaching
-
The value of
Security.UserPasswordPolicy.ExpirationDay
is 2, which is less than 7. A warning message will be displayed if the user logs in from the gsql client or graph studio.
Case 4: Password has expired
-
If the password "Xiaoming@1001" was created 4 days ago, which is greater than
Security.UserPasswordPolicy.ExpirationDay
which is 2, so the user’s password has expired.
How to set a new password after the old one has expired
If the password has expired, the user must change the password using the command
gsql -u <username> -p <password> [--targetuser <target_username>] --changepassword <new_password>
or change the password in GraphStudio first, otherwise any operation which requires password authorization will be blocked.