Configuring Password Strength Policy
As of MVMA 9.1.00 the ADMIN_ADMIN security model implements a configurable password strength policy enforced when setting a password while creating or modifying a user account within the Admin Console or when an ordinary MVMA user is requesting to change his password from within the user console.
By default, MVMA enforces a password strength policy requesting passwords to:
- be at least 8 characters wide
- containing at least one lower case letter from 'a' to 'z'
- containing at least one uppercase letter from 'A' to 'Z'
- contain at least one number character from '0' to '9'
- not contain any spaces
To configure the password strength policy:
- backup the configuration file com.bmc.mmadmin.security.securitymanager.properties located in the sub-directory configuration/services of the MVMA installation directory
- edit com.bmc.mmadmin.security.securitymanager.properties
- set the value of the PasswordPolicy key to a regular expression reflecting the required password strength and password matching pattern. Note, that commenting out or removing the PasswordPolicy setting will disable the password strength policy and will result in enforcing only the minimum requirements (i.e. non-empty passwords not containing space characters). BMC recommends not to disable the password strength policy.
- optionally, add a key PasswordPolicyHint setting its value to an appropriate hint displayed to product administrators or users when attempting to implement a user password violating the password strength policy. Note, that this hint may be exposed to others and therefore should meet all relevant security concerns.
PasswordPolicyHint=\nMust be at least 8 characters in mixed case and a number.