Password policy
- Overview
- Example configuration
- Configuration properties
- Applying password policy
- Brute force protection policy
- Login brute force protection
- Connection brute force protection
This document provides guidelines for configuring the password policy in CloudBeaver. Administrators can define rules for user passwords to enhance security and comply with organizational requirements. These settings, applied globally, ensure passwords meet the specified standards during creation and update processes.
For more details on configuration, see the CloudBeaver server configuration.
The Password Policy configuration is located under the server.sm section of
the main server configuration file.
| Name | Environment Variable | Description |
|---|---|---|
minLength |
CLOUDBEAVER_POLICY_MIN_LENGTH |
Specifies the minimum length requirement for user passwords. |
requireMixedCase |
CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE |
Enforces the use of both uppercase and lowercase letters in passwords. |
minNumberCount |
CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT |
Sets the minimum number of numeric characters required in passwords. |
minSymbolCount |
CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT |
Defines the minimum number of special symbols required in passwords. |
enableBruteForceProtection |
CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED |
Enables brute force protection for login attempts. |
expiredAuthAttemptInfoTtl |
CLOUDBEAVER_EXPIRED_AUTH_ATTEMPT_INFO_TTL |
Time-to-live (TTL) for expired authentication attempt information (in minutes). |
maxFailedLogin |
CLOUDBEAVER_MAX_FAILED_LOGINS |
Maximum number of allowed failed login attempts before blocking access. |
minimumLoginTimeout |
CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT |
Minimum timeout duration (in minutes) before the next login attempt. |
blockLoginPeriod |
CLOUDBEAVER_BLOCK_PERIOD |
Period (in seconds) for which a login is blocked after maximum failed attempts. |
connectionBruteForce |
CLOUDBEAVER_CONNECTION_BF_PROTECTION_ENABLED |
Enables brute force protection for database connection attempts. |
maxFailedConnectAttempts |
CLOUDBEAVER_CONNECTION_BF_PROTECTION_MAX_ATTEMPTS |
Number of failed DB connection attempts before blocking the user. |
errorAttemptsPeriodInMinutes |
CLOUDBEAVER_CONNECTION_BF_PROTECTION_ERROR_ATTEMPTS_PERIOD |
Time window (in minutes) for checking failed connection attempts. |
The configured password policy will be applied during password create and change processes. The CloudBeaver will check the entered passwords against the defined policy, and users will be prompted to update their passwords if they do not meet the specified requirements.
CloudBeaver supports two types of brute force protection:
- Login brute force protection - limits failed login attempts to the CloudBeaver
-
Connection brute force protection
- limits failed database connection attempts through CloudBeaver.
These policies help prevent unauthorized access by temporarily or permanently blocking users after repeated failures.
When the policy is enabled and the failed attempts threshold is reached, CloudBeaver:
-
Disables the user account
-
Ends the user's session in CloudBeaver
-
Logs the following information in the admin panel:
- When the user was disabled (date)
- Who disabled the user (user name)
- Reason for disabling (connection policy, user provisioning, or manual action).
To make the user active again, the administrator must recheck the Enabled box next to their name in the user list. For details, see Users.
This policy controls how CloudBeaver reacts to multiple failed login attempts.
When enabled, it tracks incorrect passwords during user authentication. After a set number of failures, the user is temporarily blocked and must wait before trying again.
This policy tracks failed attempts to connect to a database through CloudBeaver.
If a user reaches the allowed number of failed connection attempts (for example, when connecting to Redshift with a wrong password), CloudBeaver disables their account. The user is logged out, and only an administrator can enable the account again.
Supported databases:
- PostgreSQL
- Greenplum
- CockroachDB
- Redshift
-
Getting started
-
Administration
- Server configuration
- Create Connection
- Access Management
-
Authentication methods
-
Local Access Authentication
- Anonymous Access Configuration
- Reverse proxy header authentication
- LDAP
-
Single Sign On
-
SAML
-
OpenID
-
AWS OpenID
-
AWS SAML
-
AWS IAM
-
AWS OpenId via Okta
-
Snowflake SSO
-
Okta OpenId
-
Cognito OpenId
-
JWT authentication
-
Kerberos authentication
-
NTLM
-
Microsoft Entra ID authentication
-
Google authentication
-
Local Access Authentication
- Database authentication methods
- Network configuration settings
- User credentials storage
- Cloud databases configuration
-
Query Manager
-
Drivers Management
-
Features
- Server configuration
-
Domain manager
- Product configuration parameters
- Command line parameters
- Log customization
- Local Preferences
- API and Integration
- Deployment options
- Additional setup and management
sm: { enableBruteForceProtection: "${CLOUDBEAVER_BRUTE_FORCE_PROTECTION_ENABLED:true}", expiredAuthAttemptInfoTtl: "${CLOUDBEAVER_EXPIRED_AUTH_ATTEMPT_INFO_TTL:60}", maxFailedLogin: "${CLOUDBEAVER_MAX_FAILED_LOGINS:10}", minimumLoginTimeout: "${CLOUDBEAVER_MINIMUM_LOGIN_TIMEOUT:1}", blockLoginPeriod: "${CLOUDBEAVER_BLOCK_PERIOD:300}", connectionBruteForce: { enabled: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_ENABLED:false}", maxFailedConnectAttempts: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_MAX_ATTEMPTS:5}", errorAttemptsPeriodInMinutes: "${CLOUDBEAVER_CONNECTION_BF_PROTECTION_ERROR_ATTEMPTS_PERIOD:1440}" }, passwordPolicy: { minLength: "${CLOUDBEAVER_POLICY_MIN_LENGTH:8}", requireMixedCase: "${CLOUDBEAVER_POLICY_REQUIRE_MIXED_CASE:true}", minNumberCount: "${CLOUDBEAVER_POLICY_MIN_NUMBER_COUNT:1}", minSymbolCount: "${CLOUDBEAVER_POLICY_MIN_SYMBOL_COUNT:0}" } }