Configuring Password Strength Policy

Starting with version 9.1.00 of MVMA, the ADMIN_ADMIN security model implements a configurable password-strength policy enforced when setting a password while creating or modifying a user account within the Admin Console or when an ordinary MVMA user is requesting to change his password from within the user console. 

Related topic

Configuring-automated-Audit-Log-cleanup

By default, MVMA enforces a password-strength rules:

  • At least 8-characters wide
  • At least one lowercase letter from a to z
  • At least one uppercase letter from to Z
  • At least one number character from to 9
  • Not contain any spaces

To configure the password strength policy:

  • Back up the com.bmc.mmadmin.security.securitymanager.cfg configuration file located in the sub-directory configuration/services of the MVMA installation directory.
  • Edit com.bmc.mmadmin.security.securitymanager.cfg.
  • Set the value of the PasswordPolicy key to a regular expression reflecting the required password strength and password matching pattern. Commenting out or removing the PasswordPolicy setting disables the password strength policy and results in enforcing only the minimum requirements (that is, non-empty passwords not containing space characters). We recommend not disabling the password-strength policy.

  • You can add a key PasswordPolicyHint setting its value to an appropriate hint displayed to product administrators or users when attempting to implement a user password violating the password-strength policy.

    Warning

    This hint might be exposed to others, so it should meet all relevant security concerns.

Example

PasswordPolicy=^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=\\S+$).{8,}$
PasswordPolicyHint=\nMust be at least 8 characters in mixed case and a number.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*