Skip to main content
commvault.com commvault.com
Solved

Inquiry About Commvault Security Features Commvault users: Password Policy

  • October 30, 2024
  • 3 replies
  • 62 views
R
Byte
Forum|alt.badge.img+1

Hi Team,

As part of our organization's security policy review, I would like to inquire about specific features offered by Commvault regarding password management:

 

  • One-Time Password Policy: Does Commvault provide a functionality that prompts users to change their password upon their first login or during a password reset process?

  • Forbidden Password Combinations: Is there a feature that prevents users from using their usernames as part of their passwords, or any other configurable restrictions on password combinations?

 

Best answer by Damian Andre

OTP is available when enabling 2FA using the builtin email workflow. A unique pin is generated and sent via email as verification that the user has to enter in order to login. As @Mohamed Ramadan mentioned you can also use authentication apps for 2FA.

​When provisioning a user, there is an option to define a system set password

When that is done, the user will be asked to change the password

 

There are password policy restrictions, like enforcing a password history (can’t use previous x password) and different complexity levels: https://documentation.commvault.com/2023e/expert/setting_strength_requirements_for_user_passwords.html

The complexity levels will all but ensure a username can’t be in the password, but there are no specific settings. But overall I agree with @Mohamed Ramadan - if you integrate AD then you can leverage the AD enforcement of password complexity etc.

(I would recommend always having a local admin account to leverage in case of AD compromise).

View original
S
1 person likes this
  • S
    samyr
Did this answer your question?

3 replies

Mohamed Ramadan
Forum|alt.badge.img+11

hello @RlpCVVnt 
i I hope you are doing well.
 

Regarding OTP, Commvault does not have a built-in option, but you can integrate it with external tools. For mobile apps, you can use the Commvault Token App, Google Authenticator, or Microsoft Authenticator. For desktop, the Commvault Token Desktop Authenticator is available, though I'm not aware of any other desktop apps.

https://documentation.commvault.com/2024e/essential/pin_generating_tools.html
 

For the forbidden password combinations, Commvault lacks a specific feature to enforce these. However, you can implement security policies in your Active Directory or LDAP server to restrict weak passwords , prevent password reuse ..etc


Best Regards,
Mohamed Ramadan
Data Protection Specialist

https://www.linkedin.com/in/eng-mohammed-ramadan/
R
1 person likes this
  • R
    RlpCVVnt
Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Damian AndreVaulter
  • Vaulter
  • 1287 replies
  • Answer
  • October 30, 2024

OTP is available when enabling 2FA using the builtin email workflow. A unique pin is generated and sent via email as verification that the user has to enter in order to login. As @Mohamed Ramadan mentioned you can also use authentication apps for 2FA.

​When provisioning a user, there is an option to define a system set password

When that is done, the user will be asked to change the password

 

There are password policy restrictions, like enforcing a password history (can’t use previous x password) and different complexity levels: https://documentation.commvault.com/2023e/expert/setting_strength_requirements_for_user_passwords.html

The complexity levels will all but ensure a username can’t be in the password, but there are no specific settings. But overall I agree with @Mohamed Ramadan - if you integrate AD then you can leverage the AD enforcement of password complexity etc.

(I would recommend always having a local admin account to leverage in case of AD compromise).

Mohamed Ramadan
R
2 people like this
  • Mohamed Ramadan
    Mohamed Ramadan
  • R
    RlpCVVnt
R
Byte
Forum|alt.badge.img+1
  • RlpCVVnt
  • Author
  • Byte
  • 3 replies
  • October 31, 2024

Hi Damian and Mohammed,

Thanks for answering my inquiries. Actually, we’re already considering integrating AD or LDAP. I just really need your expertise as our reference and as a proof that there are some specific features that are not yet available in Commvault. Thanks, Team! :)

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings