Skip to main content

Hi Team,

As part of our organization's security policy review, I would like to inquire about specific features offered by Commvault regarding password management:

 

  • One-Time Password Policy: Does Commvault provide a functionality that prompts users to change their password upon their first login or during a password reset process?

  • Forbidden Password Combinations: Is there a feature that prevents users from using their usernames as part of their passwords, or any other configurable restrictions on password combinations?

 

hello @RlpCVVnt 
i I hope you are doing well.
 

Regarding OTP, Commvault does not have a built-in option, but you can integrate it with external tools. For mobile apps, you can use the Commvault Token App, Google Authenticator, or Microsoft Authenticator. For desktop, the Commvault Token Desktop Authenticator is available, though I'm not aware of any other desktop apps.

https://documentation.commvault.com/2024e/essential/pin_generating_tools.html
 

For the forbidden password combinations, Commvault lacks a specific feature to enforce these. However, you can implement security policies in your Active Directory or LDAP server to restrict weak passwords , prevent password reuse ..etc


Best Regards,
Mohamed Ramadan
Data Protection Specialist


OTP is available when enabling 2FA using the builtin email workflow. A unique pin is generated and sent via email as verification that the user has to enter in order to login. As @Mohamed Ramadan mentioned you can also use authentication apps for 2FA.

​When provisioning a user, there is an option to define a system set password

When that is done, the user will be asked to change the password

 

There are password policy restrictions, like enforcing a password history (can’t use previous x password) and different complexity levels: https://documentation.commvault.com/2023e/expert/setting_strength_requirements_for_user_passwords.html

The complexity levels will all but ensure a username can’t be in the password, but there are no specific settings. But overall I agree with @Mohamed Ramadan - if you integrate AD then you can leverage the AD enforcement of password complexity etc.

(I would recommend always having a local admin account to leverage in case of AD compromise).


Hi Damian and Mohammed,

Thanks for answering my inquiries. Actually, we’re already considering integrating AD or LDAP. I just really need your expertise as our reference and as a proof that there are some specific features that are not yet available in Commvault. Thanks, Team! :)


Reply