Help Center > > Developer Guide> Database Security Management> Setting Account Security Policies> Setting Password Security Policy

Setting Password Security Policy

Updated at: Mar 13, 2020 GMT+08:00

User passwords are stored in the system catalog pg_authid. To prevent password leakage, DWS encrypts and stores the user passwords. In addition, the password security policy is restricted.

  • Password complexity

    The password complexity requirements are as follows:

    • Minimum number of uppercase letters (A-Z) (password_min_uppercase)
    • Minimum number of lowercase letters (a-z) (password_min_uppercase)
    • Minimum number of digits (0-9) (password_min_digital)
    • Minimum number of special characters (password_min_special) (Table 1 lists special characters.)
    • Minimum password length (password_min_length)
    • Maximum password length (password_max_length)
    • A password must contain at least three types of the preceding characters (uppercase letters, lowercase letters, digits, and special characters).
    • A password must differ from the username or the username spelled backward.
    • A new password must be different from the current password or the current password in reverse order.
  • Password reuse

    When a user changes the password, the user can reuse a password only if it has not been used for over 60 days.

  • Password validity period

    A validity period (90 days by default) is set for each database user password. If the password is about to expire (in seven days), the system displays a message reminding the user to change it upon login.

    Considering the usage and service continuity of a database, the database still allows a user to log in after the password expires. A password change notification is displayed every time the user logs in to the database until the password is changed.

  • Password change
    • During database installation, an OS user with the same name as the initial user is created. The password of the OS user needs to be periodically changed for account security.
      If the password of the user user1 needs to be changed, run the following command:
      passwd user1

      Change the password as prompted.

    • System administrators and common users need to periodically change their passwords to prevent the accounts from being stolen.

      For example, to change the password of the user user1, connect to the database as the administrator and run the following command:

      1
      ALTER USER user1 IDENTIFIED BY "1234@abc" REPLACE "5678@def";
      

      1234@abc and 5678@def represent the new password and the original password of the user user1, respectively. If the new password does not have the required complexity, the change will not take effect.

    • An administrator can change its own password and other accounts' passwords. If common users forget their passwords, they can ask administrators to change the passwords.

      To change the password of user joe, run the following command:

      1
      ALTER USER joe IDENTIFIED BY "abc@1234";
      
    • System administrators are not allowed to change passwords for each other.
    • A database administrator can change the password of a common user without being required to provide the common user's old password.
    • When a system administrator changes its own password, its original password is required.
  • Password verification

    Password verification is required when you set the user or role in the current session. If the entered password is inconsistent with the stored password of the user, an error is reported.

    If user joe needs to be set, run the following command:

    1
    SET ROLE joe PASSWORD "abc@1234";
    

    If the following information is displayed, the role setting has been modified:

    SET ROLE
Table 1 Special characters

No.

Character

No.

Character

No.

Character

No.

Character

1

~

9

*

17

|

25

<

2

!

10

(

18

[

26

.

3

@

11

)

19

{

27

>

4

#

12

-

20

}

28

/

5

$

13

_

21

]

29

?

6

%

14

=

22

;

-

-

7

^

15

+

23

:

-

-

8

&

16

\

24

,

-

-

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel