Password policy
Overview¶
This document provides guidelines for configuring the password policy in CloudBeaver. Administrators can define rules for user passwords to enhance security and comply with organizational requirements. These settings, applied globally, ensure passwords meet the specified standards during creation and update processes.
Info
For more details on configuration, see the CloudBeaver server configuration.
Example configuration¶
The Password Policy configuration is located under the server.sm section of
the main server configuration file.
sm: {
enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}",
expiredAuthAttemptInfoTtl: "${CLOUDBEAVER_EXPIRED_AUTH_ATTEMPT_INFO_TTL:60}",
maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}",
minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}",
connectionBruteForce: {
enabled: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_ENABLED:false}",
maxFailedConnectAttempts: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_MAX_ATTEMPTS:5}",
errorAttemptsPeriodInMinutes: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_ERROR_ATTEMPTS_PERIOD:1440}",
blockTimeInMinutes: "${CLOUDBEAVER_CONNECTION_BF_BLOCK_PERIOD:60}"
},
passwordPolicy: {
minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}",
requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}",
minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}",
minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}"
}
}
Configuration properties¶
| Name | Environment Variable | Description |
|---|---|---|
minLength |
CLOUDBEAVER_POLICY_MIN_LENGTH |
Specifies the minimum length requirement for user passwords. |
requireMixedCase |
CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE |
Enforces the use of both uppercase and lowercase letters in passwords. |
minNumberCount |
CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT |
Sets the minimum number of numeric characters required in passwords. |
minSymbolCount |
CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT |
Defines the minimum number of special symbols required in passwords. |
enableBruteForceProtection |
CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED |
Enables brute force protection for login attempts. |
expiredAuthAttemptInfoTtl |
CLOUDBEAVER_EXPIRED_AUTH_ATTEMPT_INFO_TTL |
Time-to-live (TTL) for expired authentication attempt information (in minutes). |
maxFailedLogin |
CLOUDBEAVER_MAX_FAILED_LOGINS |
Maximum number of allowed failed login attempts before blocking access. |
minimumLoginTimeout |
CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT |
Minimum timeout duration (in minutes) before the next login attempt. |
blockLoginPeriod |
CLOUDBEAVER_BLOCK_PERIOD |
Period (in seconds) for which a login is blocked after maximum failed attempts. |
connectionBruteForce |
CLOUDBEAVER_CONNECTION_BF_PROTECTION_ENABLED |
Enables brute force protection for database connection attempts. |
maxFailedConnectAttempts |
CLOUDBEAVER_CONNECTION_BF_PROTECTION_MAX_ATTEMPTS |
Number of failed database connection attempts allowed before the connection is temporarily blocked. Applies to non-admin users only. After reaching the limit, the connection is blocked for a timeout period before it can be retried. |
errorAttemptsPeriodInMinutes |
CLOUDBEAVER_CONNECTION_BF_PROTECTION_ERROR_ATTEMPTS_PERIOD |
Time window (in minutes) for checking failed connection attempts. |
blockTimeInMinutes |
CLOUDBEAVER_CONNECTION_BF_BLOCK_PERIOD |
Block duration (in minutes) after exceeding the allowed number of failed connection attempts. |
Applying password policy¶
The configured password policy will be applied during password create and change processes. The CloudBeaver will check the entered passwords against the defined policy, and users will be prompted to update their passwords if they do not meet the specified requirements.
Brute force protection policy¶
CloudBeaver supports two types of brute force protection:
- Login brute force protection - limits failed login attempts to the CloudBeaver
- Connection brute force protection
- limits failed database connection attempts through CloudBeaver
These policies help prevent unauthorized access by temporarily blocking logins or database connections after repeated failures.
When the policy is enabled and the failed attempts threshold is reached, CloudBeaver:
- For login brute force - the user is temporarily blocked and must wait before trying again
- For connection brute force - the database connection is blocked for a timeout period (applies to non-admin users only)
The admin panel logs when the block happened and the reason.
Info
To allow a user to connect again, wait for the timeout to expire or adjust the limits in the configuration.
Login brute force protection¶
This policy controls how CloudBeaver reacts to multiple failed login attempts.
When enabled, it tracks incorrect passwords during user authentication. After a set number of failures, the user is temporarily blocked and must wait before trying again.
Connection brute force protection¶
Note
This feature is available in Enterprise, AWS, and Team editions only.
This policy tracks failed attempts to connect to a database through CloudBeaver.
If a non-admin user reaches the allowed number of failed connection attempts (for example, when connecting to Redshift with a wrong password), CloudBeaver blocks the connection for the configured timeout.
During the block period, the user cannot retry the same connection. After the timeout expires, they can attempt again.
Supported databases:
- Amazon Redshift
- Db2
- Microsoft SQL Server
- MySQL
- Oracle Database
- PostgreSQL