Password complexity parameters

When you install the Puppet Enterprise (PE) console, password complexity parameters are preconfigured to implement a robust policy. The default password policy includes the following requirements:

  • Passwords must be at least 12 characters in length and must include upper and lowercase letters, special characters, and numbers.
  • The last five previous passwords cannot be reused when passwords are changed.

If you're an Administrator and want to customize password complexity requirements for users in your organization, you can modify the following parameters:

Changing password complexity requirements doesn't impact local users' existing passwords. Requirements are enforced only when creating or changing a password.
puppet_enterprise::profile::console::login_minimum_length

An integer specifying the minimum number of characters required in a login (username). For example, usernames must be at least six characters.

Default: 6

puppet_enterprise::profile::console::password_minimum_length

An integer specifying the minimum number of characters required in a password. For example, passwords must be at least twelve characters.

Default: 12

puppet_enterprise::profile::console::letters_required

An integer specifying the minimum number of alphabetic characters required in a password. For example, passwords must contain at least one letter.

Default: 0

puppet_enterprise::profile::console::lowercase_letters_required

An integer specifying the minimum number of lowercase alphabetic characters required in a password. For example, passwords must contain at least one lowercase letter.

Default: 1

puppet_enterprise::profile::console::uppercase_letters_required

An integer specifying the minimum number of capital alphabetic characters required in a password. For example, passwords must contain at least one capital letter.

Default: 1

puppet_enterprise::profile::console::numbers_required

An integer specifying the minimum number of numeric characters required in a password. For example, passwords must contain at least one number, 0 through 9.

Default: 1

puppet_enterprise::profile::console::special_characters_required

An integer specifying the minimum number of special characters required in a password, such as @, #, $, or !. For example, a password must contain at least one special character.

Default: 1

puppet_enterprise::profile::console::number_of_previous_passwords

An integer specifying the number of previous passwords the system remembers so they can't be reused when a user changes their password. For example, a user's new password can't be the same as any of the user's previous five passwords.

Default: 5

puppet_enterprise::profile::console::username_substring_match

A Boolean specifying whether to compare logins (usernames) and passwords for uniqueness.

Set to true to apply the substring_character_limit and prevent users from creating login-password combinations where the password is completely or partially the same as the login.

Default: false

puppet_enterprise::profile::console::substring_character_limit

An integer specifying how many consecutive characters from the login (user name) can appear in the password. For example, passwords cannot include more than three consecutive characters from the login.

Default: 0

For RBAC-related parameters, such as rbac_failed_attempts_lockout, refer to Console and console-services parameters and Configure RBAC and token-based authentication settings.