Account Locking
In a profile, you can set a password policy for how many consecutive failed login attempts a user account is allowed before locking. This locking mechanism helps prevent dictionary-style brute-force attempts to guess users' passwords.
Set Account Locking
Set this value using the FAILED_LOGIN_ATTEMPTS
parameter using the CREATE PROFILE or ALTER PROFILE statement.
Vertica locks any user account that has more consecutive failed login attempts than the value to which you set FAILED_LOGIN_ATTEMPTS
. The user cannot log in to a locked account, even by supplying the correct password.
Unlock a Locked Account
You can unlock accounts in one of two ways, depending on your privileges.
- Manually—If you are a superuser, you can manually unlock the account using the ALTER USER command.
Note: A superuser account cannot be locked, because it is the only user that can unlock accounts. For this reason, choose a very secure password for a superuser account. See Password Guidelines for suggestions.
- Password Lock Time Setting—Specify the number of days until an account unlocks in the
PASSWORD_LOCK_TIME
parameter of the user's profile. Vertica automatically unlocks the account after the specified number of days has passed. If you set this parameter toUNLIMITED
, the user's account is never automatically unlocked, and a superuser must manually unlock it.