Password content controls
For your database user accounts, you can specify requirements such as length and character formats to ensure that your users select passwords that meet your security policies. The system calculates and enforces the strength of a password by using a credit-based algorithm that evaluates the complexity of the characters that are used in the password and its length.
To set the content requirements for passwords, use the SET SYSTEM
DEFAULT SQL command as follows:
SYSTEM.ADMIN(ADMIN)=> SET SYSTEM DEFAULT PASSWORDPOLICY TO conf;
SET VARIABLE
The conf value is a string of parameters that
specify the content requirements and restrictions:
- minlen
- Specifies the minimum length in characters (after it deducts any
credits) for a password. The default is the minimum value of 6; that
is, even with credits, you cannot specify a password that is less
than six characters. If you specify 10, for example, the user must
specify at least nine lowercase characters (with the lowercase letter
default credit of 1) to meet the minimum length criteria. Note: There is a relationship between the minimum length of a password and its strength (that is, the use of mixed-case letters, digits, and non-alphanumeric characters that increase the complexity of the password string). If a user specifies only lowercase letters, which are considered weak passwords, the minimum length of the password is minlen. If the user includes uppercase and lowercase letters, digits, and symbols, the minlen requirement can be reduced with credits for the number and type of those additional characters. You can also use the credit values to require the presence of a minimum number of characters in the password.
- dcredit
- Specifies the maximum credit for including digits in the password. The default is one credit; if you specify a credit of 3, for example, the user receives one credit per digit up to the maximum of three credits to reduce the minlen requirement. If you specify a negative value such as -2, your users must specify at least two digits in their password.
- ucredit
- Specifies the maximum credit for including uppercase letters in the password. The default is one credit; if you specify a credit of 2, for example, the user receives one credit per uppercase letter up to the maximum of two credits to reduce the minlen requirement. If you specify a negative value such as -1, your users must specify at least one uppercase letter in their password.
- lcredit
- Specifies the maximum credit for including lowercase letters in the password. The default is one credit; if you specify a credit of 2, for example, the user receives one credit per lowercase letter up to the maximum of two credits to reduce the minlen requirement. If you specify a negative value such as -1, your users must specify at least one lowercase letter in their password.
- ocredit
- Specifies the maximum credit for including non-alphanumeric characters (often referred to as symbols such as #, &, or *) in the password. The default is one credit; if you specify a credit of 1, for example, the user receives one credit per non-alphanumeric character up to the maximum of one credit to reduce the minlen requirement. If you specify a negative value such as -2, your users must specify at least two non-alphanumeric characters in their password.
For example, the following command specifies that the minimum length
of a weak password is 10, and it must contain at least one uppercase
letter. The presence of at least one symbol or digit allows for a
credit of 1 each to reduce the minimum length of the password:
SYSTEM.ADMIN(ADMIN)=> SET SYSTEM DEFAULT PASSWORDPOLICY TO 'minlen=10,
lcredit=0 ucredit=-1 dcredit=-1 ocredit=1';
SET VARIABLE
As another example, the following command specifies that the minimum
length of a weak password is 8, it must contain at least two digits
and one symbol; and the presence of lowercase characters offers no
credit to reduce the minimum password length:
SYSTEM.ADMIN(ADMIN)=> SET SYSTEM DEFAULT PASSWORDPOLICY TO 'minlen=8,
lcredit=0 dcredit=-2 ocredit=-1';
SET VARIABLE