Skip to content

Password policy

Overview

This document provides guidelines for configuring the password policy in Team Edition. Administrators can define rules for user passwords to enhance security and comply with organizational requirements. These settings, applied globally, ensure passwords meet the specified standards during creation and update processes.

Info

For more details on configuration, see the Team Edition server configuration.

Example configuration

The Password Policy configuration is located under the server.sm section of the main server configuration file.

sm: {
    enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}",
    expiredAuthAttemptInfoTtl: "${CLOUDBEAVER_EXPIRED_AUTH_ATTEMPT_INFO_TTL:60}",
    maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}",
    minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}",
    blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}",
    connectionBruteForce: {
        enabled: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_ENABLED:false}",
        maxFailedConnectAttempts: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_MAX_ATTEMPTS:5}",
        errorAttemptsPeriodInMinutes: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_ERROR_ATTEMPTS_PERIOD:1440}"
    },
    passwordPolicy: {
        minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}",
        requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}",
        minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}",
        minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}"
    }
}

Configuration properties

Name Environment Variable Description
minLength CLOUDBEAVER_POLICY_MIN_LENGTH Specifies the minimum length requirement for user passwords.
requireMixedCase CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE Enforces the use of both uppercase and lowercase letters in passwords.
minNumberCount CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT Sets the minimum number of numeric characters required in passwords.
minSymbolCount CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT Defines the minimum number of special symbols required in passwords.
enableBruteForceProtection CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED Enables brute force protection for login attempts.
expiredAuthAttemptInfoTtl CLOUDBEAVER_EXPIRED_AUTH_ATTEMPT_INFO_TTL Time-to-live (TTL) for expired authentication attempt information (in minutes).
maxFailedLogin CLOUDBEAVER_MAX_FAILED_LOGINS Maximum number of allowed failed login attempts before blocking access.
minimumLoginTimeout CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT Minimum timeout duration (in minutes) before the next login attempt.
blockLoginPeriod CLOUDBEAVER_BLOCK_PERIOD Period (in seconds) for which a login is blocked after maximum failed attempts.
connectionBruteForce CLOUDBEAVER_CONNECTION_BF_PROTECTION_ENABLED Enables brute force protection for database connection attempts.
maxFailedConnectAttempts CLOUDBEAVER_CONNECTION_BF_PROTECTION_MAX_ATTEMPTS Number of failed DB connection attempts before blocking the user.
errorAttemptsPeriodInMinutes CLOUDBEAVER_CONNECTION_BF_PROTECTION_ERROR_ATTEMPTS_PERIOD Time window (in minutes) for checking failed connection attempts.

Applying password policy

The configured password policy will be applied during password create and change processes. The Team Edition will check the entered passwords against the defined policy, and users will be prompted to update their passwords if they do not meet the specified requirements.

Brute force protection policy

Team Edition supports two types of brute force protection:

  • Login brute force protection - limits failed login attempts to the Team Edition
  • Connection brute force protection - limits failed database connection attempts through Team Edition.

These policies help prevent unauthorized access by temporarily or permanently blocking users after repeated failures.

Note

This policy also works for the web and desktop clients.

When the policy is enabled and the failed attempts threshold is reached, Team Edition:

  • Disables the user account
  • Ends the user's session in Team Edition
  • Logs the following information in the admin panel:

    • When the user was disabled (date)
    • Who disabled the user (user name)
    • Reason for disabling (connection policy, user provisioning, or manual action).

Info

To make the user active again, the administrator must recheck the Enabled box next to their name in the user list. For details, see Users.

Login brute force protection

This policy controls how Team Edition reacts to multiple failed login attempts.

When enabled, it tracks incorrect passwords during user authentication. After a set number of failures, the user is temporarily blocked and must wait before trying again.

Connection brute force protection

This policy tracks failed attempts to connect to a database through Team Edition.

If a user reaches the allowed number of failed connection attempts (for example, when connecting to Redshift with a wrong password), Team Edition disables their account. The user is logged out, and only an administrator can enable the account again.

Supported databases:

  • PostgreSQL
  • Greenplum
  • CockroachDB
  • Redshift