Skip to main content

Password Policy

Databend includes a password policy to strengthen system security and make user account management smoother. This policy sets rules for creating or changing passwords, covering aspects like length, types of characters, age restrictions, retry limits, lockout durations, and password history. When creating a password policy, you can customize specific rules to suit your needs. For a detailed list of the password policy factors, see Password Policy Attributes.

How Password Policy Works

In Databend, SQL users don't initially have a predefined password policy. This implies that there are no specific rules to follow when setting or changing a password for a user until a password policy is assigned to them. To assign a password policy, you can either create a new user with a password policy using the CREATE USER command or link an existing user to a password policy using the ALTER USER command. Please note that, the password policy does not apply to admin users configured through the databend-query.toml configuration file.

When you set or change the password for a user with a password policy, Databend conducts thorough checks to ensure the chosen password follows the rules defined by the password policy. The following aspects are verified:

note

Generally, users cannot change their own passwords unless they are assigned the built-in role account-admin. An account-admin user can set or change passwords for all users. To change password for a user, use the ALTER USER command.

  • Complexity Requirements:

    • Minimum and Maximum Length: Validates password length within defined boundaries.
    • Uppercase, Lowercase, Numeric, and Special Characters: Confirms adherence to specific character type requirements.

  • Additional Checks during Password Change:

    • Minimum Age Requirement: Ensures passwords are not changed too frequently.
    • History Check: Verifies that new passwords do not replicate recent ones.

When a user attempts to log in with a password policy in place, Databend performs essential checks to enhance security and regulate user access. The following verifications take place:

  • Consecutive Incorrect Password Attempts:

    • Ensures limits on consecutive incorrect password attempts are not exceeded.
    • Exceeding limits results in a temporary lock on user login.

  • Maximum Age Requirement:

    • Checks if the maximum password change interval has been exceeded.
    • If the interval is exceeded, the user is restricted from logging in until the password is changed.

Managing Password Policies

Databend offers a range of commands for managing password policies. For more details, see Password Policy.

Usage Examples

This example establishes the following password policies and implements them for users:

  • DBA for admins users: Customizes each password policy attribute strictly.
  • ReadOnlyUser for general users: Uses the default attribute values.
-- Create the 'DBA' password policy with customized attribute values
CREATE PASSWORD POLICY DBA
    PASSWORD_MIN_LENGTH = 12
    PASSWORD_MAX_LENGTH = 18
    PASSWORD_MIN_UPPER_CASE_CHARS = 2
    PASSWORD_MIN_LOWER_CASE_CHARS = 2
    PASSWORD_MIN_NUMERIC_CHARS = 2
    PASSWORD_MIN_SPECIAL_CHARS = 1
    PASSWORD_MIN_AGE_DAYS = 1
    PASSWORD_MAX_AGE_DAYS = 30
    PASSWORD_MAX_RETRIES = 3
    PASSWORD_LOCKOUT_TIME_MINS = 30
    PASSWORD_HISTORY = 5;

-- Create the 'ReadOnlyUser' password policy with default values for all attributes
CREATE PASSWORD POLICY ReadOnlyUser;

SHOW PASSWORD POLICIES;

┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│     name     │ comment │                                                                                                 options                                                                                                 │
├──────────────┼─────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ DBA          │         │ MIN_LENGTH=12, MAX_LENGTH=18, MIN_UPPER_CASE_CHARS=2, MIN_LOWER_CASE_CHARS=2, MIN_NUMERIC_CHARS=2, MIN_SPECIAL_CHARS=1, MIN_AGE_DAYS=1, MAX_AGE_DAYS=30, MAX_RETRIES=3, LOCKOUT_TIME_MINS=30, HISTORY=5
│ ReadOnlyUser │         │ MIN_LENGTH=8, MAX_LENGTH=256, MIN_UPPER_CASE_CHARS=1, MIN_LOWER_CASE_CHARS=1, MIN_NUMERIC_CHARS=1, MIN_SPECIAL_CHARS=0, MIN_AGE_DAYS=0, MAX_AGE_DAYS=90, MAX_RETRIES=5, LOCKOUT_TIME_MINS=15, HISTORY=0
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Imagine you already have a DBA user named 'eric' and apply the DBA password policy to that user using the ALTER USER command:

-- Apply 'DBA' password policy to the user 'eric'
ALTER USER eric WITH SET PASSWORD POLICY = 'DBA';

Now, let's create a new user named 'frank' and apply the 'ReadOnlyUser' password policy using the CREATE USER command:

-- Note: The password set for the user 'frank' must adhere to the constraints
-- defined by the associated 'ReadOnlyUser' password policy.
CREATE USER frank IDENTIFIED BY 'Abc12345'
    WITH SET PASSWORD POLICY = 'ReadOnlyUser';
Did this page help you?
Yes
No
Join our growing community
GitHub
🌟 7.2K Stars
Slack
Twitter
YouTube
Explore Databend Cloud for FREE
Low-cost
Fast Analytics
Easy Data Ingestion
Elastic Scaling
Try it today