Password Policy

This guide explains how to configure and enforce password complexity and rotation policies to enhance security. Password complexity rules define the structure of passwords, while rotation policies specify how long a password remains valid and the conditions for changing it.

Regardless of whether the password policy is enabled, no password can be an empty string or null.

Password complexity rules

TigerGraph enables administrators to set rules for the structure of password strings, to increase security:

  • Set the minimum password length (between 1 and 128 characters)

  • Require at least one uppercase character

  • Require at least one lowercase character

  • Require at least one Digit

  • Require at least 1 special character: !, ", #, $, %, &, ', (, ), *, +, ,, -, ., /, :, ;, <, =, >, ?, @, [, ], ^, _, `, {, |, }, ~

Password rotation rules

There are also rules for how long a password may be used before it must be changed:

  • How long the password remains valid after it has been updated

  • The minimum number of unique passwords required before a previously used password can be reused

Password expiration warning

When the password is set to expire within the next 7 days, users will receive a warning during login. This feature ensures users have enough time to update their passwords and avoid being locked out of the system.

For example: If your password is set to expire soon, the system will display a warning message like the one below when you log in:

tigergraph@john-doe-bot-20240220063707-0:~$ gsql -p Jodo@9999

Please take the following steps to improve your TG system security:
    * Your password will expire in 2 days. Please change it promptly.

Welcome to TigerGraph.
GSQL >

To maintain security and avoid disruptions, always reset your password promptly after receiving this warning.

Enable/Disable password policy

When the password policy is enabled, passwords that do not meet the policy requirements cannot be used for creating or altering user passwords.

Enabling the password policy does not prevent existing users with passwords that do not meet the requirements from logging in.

To enable the password policy, run the following commands:

$ gadmin config set Security.UserPasswordPolicy.Enable true (1)
$ gadmin config apply
$ gadmin restart gsql
1 Setting Security.UserPasswordPolicy.Enable to true applies the password policy to passwords for TigerGraph database users.

If the password policy is disabled, a user can set their password without following these rules.

To disable the password policy, run the following commands:

$ gadmin config set Security.UserPasswordPolicy.Enable false
$ gadmin config apply
$ gadmin restart gsql

Configure password rules

To configure the complexity rules, use the 'gadmin config' command to set the desired values. Here are the configuration about the complexity rules.

Policy rule Description Default Value Range

Security.UserPasswordPolicy.Enable

Enable/disable the password policy

false

true/false

Security.UserPasswordPolicy.MinLength

Min length

8

[1,128]

Security.UserPasswordPolicy.UppercaseLetterRequired

Require at Least One Uppercase Character

true

true/false

Security.UserPasswordPolicy.LowercaseLetterRequired

Require at Least One Lowercase Character

true

true/false

Security.UserPasswordPolicy.DigitRequired

Require at Least One Digit

true

true/false

Security.UserPasswordPolicy.SpecialCharacterRequired

Require at Least One special character .

true

true/false

Security.UserPasswordPolicy.ExpirationDay

How long the password remains valid after it has been updated

90

[1, 2147483647]

Security.UserPasswordPolicy.PasswordReuseThreshold

What is the minimum number of unique passwords required before a previously used password can be reused

5

[1, 20]

Here are examples of password policy configuration:

$ gadmin config set Security.UserPasswordPolicy.PasswordReuseThreshold 2
$ gadmin config set Security.UserPasswordPolicy.MinLength 8
$ gadmin config set Security.UserPasswordPolicy.UppercaseLetterRequired true
$ gadmin config set Security.UserPasswordPolicy.LowercaseLetterRequired true
$ gadmin config set Security.UserPasswordPolicy.DigitRequired true
$ gadmin config set Security.UserPasswordPolicy.SpecialCharacterRequired true
$ gadmin config set Security.UserPasswordPolicy.ExpirationDay 2
$ gadmin config set Security.UserPasswordPolicy.PasswordReuseThreshold 2
$ gadmin config apply
$ gadmin restart gsql

Based on the above configuration, here are some usage examples:

Case 1: Password does not meet policy requirements

  • Attempt to set the password to "abc!1234", which doesn’t follow the policy Security.UserPasswordPolicy.UppercaseLetterRequired because this configured value is true.

Case 2: The minimum number of unique passwords required before a previously used password can be reused not reached

  • The Security.UserPasswordPolicy.PasswordReuseThreshold is configured as 2. If the user first sets the password to "Xiaoming@1001" and then changes it to "Xiaoming@1002", these two operations will be successful as they follow the policy. However, if the password is changed back to "Xiaoming@1001", it will fail because it doesn’t follow the policy. Since after setting the password to "Xiaoming@1001", there is only 1 change (from "Xiaoming@1001" to "Xiaoming@1002").

Case 3: Password expiration is approaching

  • The value of Security.UserPasswordPolicy.ExpirationDay is 2, which is less than 7. A warning message will be displayed if the user logs in from the gsql client or graph studio.

Case 4: Password has expired

  • If the password "Xiaoming@1001" was created 4 days ago, which is greater than Security.UserPasswordPolicy.ExpirationDay which is 2, so the user’s password has expired.

How to set a new password after the old one has expired

If the password has expired, the user must change the password using the command gsql -u <username> -p <password> [--targetuser <target_username>] --changepassword <new_password> or change the password in GraphStudio first, otherwise any operation which requires password authorization will be blocked.