Password Policy Configuration

Define and implement organization-specific password policies.

You can define customized password rules to strengthen security based on your organization's needs. Configure these rules using either:

  • Kubernetes deployment: Set the global.userManagement.passwordPolicyRules Helm value.

  • Docker deployment: Use the CYBUS_AUTH_PASSWORD_POLICY_RULES environment variable.

If not configured, the default password rule is {"min": 5}, which requires passwords to have a minimum length of five characters without any specific character type requirements.

Configuring Password Rules

Configuring Password Rules (Kubernetes)

  1. Open the values.yaml file.

  2. Set the global.userManagement.passwordPolicyRules Helm value to configure your password rules. For a list of all configuration properties, see Password Parameters.

global:
    userManagement:
        passwordPolicyRules: '{"min": 10, "upper": 1, "lower": 1, "numeric": 1, "symbol": 1}'
  1. Upgrade your Helm chart to apply the Helm configuration changes. For more information, see Applying Helm configuration changes.

helm upgrade -n <namespace> <installation-name> -f values.yaml
  1. Verify your configuration.

    • Check the auth-server logs for any errors.

    • Try creating a new user with a password that does not meet the requirements to test.

Password Parameters

The CYBUS_AUTH_PASSWORD_POLICY_RULES variable parameters must contain a properly formatted JSON object. The following parameters are available:

Parameter
Description
Example

min

Minimum total password length

{"min": 8}

lower

Minimum number of lowercase letters

{"lower": 2} for at least two lowercase characters like a or b

upper

Minimum number of uppercase letters

{"upper": 1} for at least one uppercase character like A or B

numeric

Minimum number of numeric digits

{"numeric": 1} for at least one digit like 1 or 2

symbol

Minimum number of special characters

{"symbol": 1} for at least one symbol like $ or #

  • Parameter values: Each parameter accepts a single integer value.

  • Optional parameters: All parameters are optional in the JSON object.

  • Disabled rules: Setting any value to zero (e.g., {"upper": 0}) disables that specific rule.

  • Character classification: Character classes are evaluated using Unicode Regular Expression category parameters. For details on the exact definition of the character classes, see https://unicode.org/reports/tr18/#General_Category_Property.

Troubleshooting

The environment variable is validated during system startup. If there is a misconfiguration (e.g., JSON syntax error), the auth-server container will fail to start and log an appropriate error message. Check the auth-server container logs for troubleshooting.

Last updated

Was this helpful?