Password Policy Configuration
You can apply password policy rules regarding password length, characters, and patterns employed.The rules are configurable by setting:
ii.<host>.config.pw_policy rule1=val1[,rule2=val2…]
Note: By default, there is no policy rule set during installation. Therefore, if this configuration parameter is not set, any password is accepted.
The password policy rules to configure:
min
The minimum length of the password.
max
The maximum length of the password.
class
The class parameter enforces required character classes which include uppercase letters (8), lowercase letters (4), digits (2), and punctuation characters (1). The specified value of each character class are summed to dictate the required character classes for the password. For example:
class=15
means you specified 8+4+2+1=15, therefore all four character classes must be in the password.
eq
The maximum number of consecutive characters that can be the same, for example, 3 would mean up to 3 characters are the same, such as, xxx.
seq
The maximum number of consecutive characters in alphabetical or numerical sequence(*), for example, ‘5’ can be 34567 or abcde. This can also be a repetitive pattern, such as, abccbc.
Note: (*) in sequence is near, meaning one higher or right, one lower or left, or equal, for example, eewwqq is in a keyboard sequence.
keyb
The maximum number of characters in keyboard horizontal sequence, such as ‘qwert’, which is based on a US keyboard layout.
date
A combination of numbers, characters, and grouping that looks like a standard date format. For example, three groups of two digits with punctuation, e.g. 12/24/23 or 24.12.23, with a day (<32) and month (<13) in the first or last two groups.
More precisely, if the second group could be a month, either of the other must be a day. If the second group is a day, the first must be a month, so MM-DD-YY is a date but not YY-DD-MM.
dict
Contains a word specified from the blocklist. This is set by the iipwblock tool.
Further considerations in password policy configuration:
• Dates and blocked words are found at any position in the password.
• Each rule can be set to a number, setting key omitted = 0 means it is inactive. Setting date = 1 or dict = 1 activates the rule. You can also just specify date or dict parameter without the number and it will also activate the rule.
An example with all rules active:
min=8,max=16,class=15,eq=2,seq=3,keyb=3,date,dict
• All lengths count characters, not bytes. Some characters use three bytes in UTF8.
Note: There is a hard limit of maximum 24 bytes for a password.
• You can set the password policy after a 7.0 upgrade and it will be valid for future upgrades as well.
• Rules apply when a new password is set using CREATE USER or ALTER USER SQL statements, existing passwords are not affected.
• The password policy does not apply when creating encrypted databases or encrypted tables.
Password Policy Blocklist
The tool iipwblock <blocklist.txt> installs blockwords, which are lowercased and sorted, in:
II_SYSTEM/ingres/files/pwblock.utf32.
The blocklist file must have one blocked word per line in DB’s II_CHARSET, with a maximum of 1000 words which use a maximum of 24 bytes each.
You can install an empty blocklist file:
iipwblock -clear
Note: Without the blocklist parameter, iipwblock dumps the installed list in UTF8, not a DB character set.
Note: There is no default blocklist, and without an installed file, the dict configuration parameter does nothing. The iipwblock tool must be installed.