Manage passwords
Redis Enterprise Software provides several ways to manage the passwords of local accounts, including:
You can also manage a user’s ability to sign in and control session timeout.
To enforce more advanced password policies, we recommend using LDAP integration with an external identity provider, such as Active Directory.
Password complexity rules
Redis Enterprise Software provides optional password complexity rules that meet common requirements. When enabled, these rules require the password to have:
- At least 8 characters
- At least one uppercase character
- At least one lowercase character
- At least one number
- At least one special character
These requirements reflect v6.2.12 and later. Earlier versions did not support numbers or special characters as the first or the last character of a password. This restriction was removed in v6.2.12.
In addition, the password:
- Cannot contain the user’s email address or the reverse of the email address.
- Cannot have more than three repeating characters.
Password complexity rules apply complexity rules are applied when a new user account is created and when the password is changed. Password complexity rules are not applied to accounts authenticated by an external identity provider.
You can use the admin console or the REST API to enable password complexity rules.
Enable using the admin console
To enable password complexity rules using the admin console:
-
Sign in to the Redis Enterprise Software admin console using an administrator account
-
From the main menu, select Settings | Preferences
-
Place a checkmark next to Enable password complexity rules
-
Save your changes
Enable using the REST API
To use the REST API to enable password complexity rules:
PUT https://[host][:port]/v1/cluster
{"password_complexity":true}
Deactivate password complexity rules
To deactivate password complexity rules:
-
Remove the checkmark from the Enable password complexity rules setting in the admin console
-
Use the
cluster
REST API endpoint to setpassword_complexity
tofalse
Password expiration
To enforce an expiration of a user’s password after a specified number of days:
-
Use the admin console to place a checkmark next to the Enable password expiration preference setting
-
Use the
cluster
endpoint of the REST APIPUT https://[host][:port]/v1/cluster {"password_expiration_duration":<number_of_days>}
To deactivate password expiration:
-
Remove the checkmark next to the to the Enable password expiration preference setting.
For help locating the setting, see Password complexity rules.
-
Use the
cluster
REST API endpoint to setpassword_expiration_duration
to0
(zero).
Password rotation policies
Redis Enterprise Software lets you implement password rotation policies using its REST API.
You can add a new password for a database user without immediately invalidating the old one (which might cause authentication errors in production).
For user access to the Redis Enterprise Software admin console, you can set a password expiration policy to prompt the user to change their password.
However, for database connections that rely on password authentication, you need to allow for authentication with the existing password while you roll out the new password to your systems.
With the Redis Enterprise Software REST API, you can add additional passwords to a user account for authentication to the database or the admin console and API.
Once the old password is replaced in the database connections, you can delete the old password to finish the password rotation process.
The new password cannot already exist as a password for the user and must meet the password complexity requirements, if enabled.
Rotate password
To rotate the password of a user account:
-
Add an additional password to a user account with
POST /v1/users/password
:POST https://[host][:port]/v1/users/password '{"username":"<username>", "old_password":"<an_existing_password>", "new_password":"<a_new_password>"}'
After you send this request, you can authenticate with both the old and the new password.
-
Update the password in all database connections that connect with the user account.
-
Delete the original password with
DELETE /v1/users/password
:DELETE https://[host][:port]/v1/users/password '{"username":"<username>", "old_password":"<an_existing_password>"}'
If there is only one valid password for a user account, you cannot delete that password.
Replace all passwords
You can also replace all existing passwords for a user account with a single password that does not match any existing passwords. This can be helpful if you suspect that your passwords are compromised and you want to quickly resecure the account.
To replace all existing passwords for a user account with a single new password, use PUT /v1/users/password
:
PUT https://[host][:port]/v1/users/password
'{"username":"<username>", "old_password":"<an_existing_password>", "new_password":"<a_new_password>"}'
All of the existing passwords are deleted and only the new password is valid.
PUT
request, the new password is added to the list of existing passwords.