Vertica Analytics Platform Version 9.2.x Documentation
You can set password policies for users by assigning them profiles. You can create multiple profiles to manage the password policies for several categories of users. For example, you could create one profile for interactive users that requires frequent password changes and another profile for user accounts that never requires password changes.
You create profiles with CREATE PROFILE and alter existing profiles with ALTER PROFILE. Both statements let you set one or more profile parameters which can control, among other things, the minimum lifetime of a password, password complexity, and password-reset rules.
Each profile can specify one or more of the following policies.
- How often users must change their passwords
- How many times users must change their passwords before they can reuse an old password
- How many times a user can fail to log in before the account is locked
- The maximum number of characters
- The minimum number of capital letters, lowercase letters, digits, and symbols required
Database-level Password Management
In addition to the profile-level password requirements, you can specify global password complexity rules with the following security parameters.
Note that these system-level parameters do not exist in other versions of Vertica and, starting in Vertica 10.1.x, are replaced with PROFILE-level parameters with the same functionality. When you upgrade, you must set these parameters again at the PROFILE-level to reproduce your configuration.
PasswordMinLifeTime: how many days must pass before a password can be changed
PasswordMinCharChange: the minimum number of characters that must be different from the previous password
Changes to profile policies for password content—for example,
PASSWORD_MIN_SYMBOLS—affect users only when they change their passwords. Vertica does not test existing passwords to verify that they comply with new password requirements. To enforce immediate compliance with new profile requirements, use
ALTER USER…PASSWORD EXPIRE to immediately expire the current user's password. The next time the user logs in, Vertica prompts them to supply a new password, which must comply with the current policy.
Each database contains a
DEFAULT profile. Vertica assigns the default profile to users who are not explicitly assigned a profile. The default profile also sets parameters of non-default profiles in two cases:
- Profile parameters that are not explicitly set by
- Parameters that
ALTER PROFILEsets to
All parameters in the default profile are initially set to
unlimited. You can use
ALTER PROFILE to change these settings. For example, the following statement modifies the default profile parameter
PASSWORD_MIN_SYMBOLS. The change requires passwords to contain at least one symbol, such as $, #, @. This change affects all profiles where
PASSWORD_MIN_SYMBOLS is set to
ALTER PROFILE DEFAULT LIMIT PASSWORD_MIN_SYMBOLS 1;
Profile Settings and Client Authentication
The following profile settings affect client authentication methods, such as LDAP or GSS:
All other profile settings are used only by Vertica to manage its passwords.
Was this topic helpful?