Password policies

Data cataloging 2.0.2.1 introduces password policies for the local users who are configured in the default authentication domain.

The password policies that are introduced for all local user accounts, enhance their security.

Note:

Data cataloging does not enforce password policies for the user accounts that are imported to the Data cataloging authentication scheme. These policies include all user accounts imported from the external domains like LDAP or IBM® Cloud Object Store that are configured with Data cataloging. Any password policies that are configured for these external authentication providers (LDAP/IBM Cloud Object Store), would apply to the corresponding users from these authentication domains.

Password policies

Data cataloging local users must follow the password policies that are defined in the 2.0.2.1 release.

Password strength requirements
  • Passwords must have a minimum length of seven characters.
  • Passwords must contain at least one letter.
  • Passwords must contain at least one digit.
Unique password history requirements
  • Users must create a unique password each time the password is changed. The new password cannot be any of the last five passwords previously used.
Password expiration requirements
  • The User password expires after 90 days from the time it is changed.
Password change requirements

Data cataloging users with Admin roles (like the sdadmin user) can create a new user or reset the password of an existing user. However, this password expires when the user logs in for the first time and must be changed immediately.

Account lockout requirements

A user account is locked out for 1 hour after five successive failed login attempts.

Password upgrade for existing users
Data cataloging deployments, upgraded from versions earlier than 2.0.2.1, include the new password policies that are applied to local user accounts. Existing user accounts are also impacted in the following ways:
  • Existing users can continue to use their current passwords to log in to the system.
  • Passwords for existing user accounts expire only in the following situations:
    • Passwords expire when users change their password. In this scenario, the new password will expire after 90 days.
    • Passwords expire when the administrative user resets the user password. In this scenario, the updated password expires immediately after the first login and the user must create a new unique password.
  • When the user password is changed, the following password policies are enforced:
    • Password strength requirements
    • Unique Password history requirements - This policy restricts users from reusing any of the last five passwords.
  • On completing the product upgrade, the Account lockout requirements policy is immediately enforced for all local users that includes all existing users.
Note: To apply all the password policies to the local user accounts after they upgrade to 2.0.2.1 or later releases, follow the listed recommendations:
  • The Admin user resets passwords for all the existing local user accounts and communicates the new password to the respective users.
  • All the local users use the UI Password change REST API to change their passwords. For more information, see Changing password and /auth/v1/users/<user_ID>/password: POST /auth/vi/users/<user_ID>/password: Post in Data Cataloging: REST API Guide.