Password Policy¶
Overview¶
MazeVault provides comprehensive password policy management at both the organization and project template levels. Password policies ensure that all generated passwords meet security requirements and are compatible with target systems.
Policy Levels¶
Organization Policy¶
The default password policy is configured in Organization Settings → Security → Password Complexity Policy. This policy is automatically applied to all secret rotations unless overridden at the project template level.
| Parameter | Default Value | Description |
|---|---|---|
| Minimum Length | 17 characters | Minimum number of characters |
| Maximum Length | 128 characters | Maximum number of characters |
| Uppercase | Required | At least one uppercase letter (A-Z) |
| Lowercase | Required | At least one lowercase letter (a-z) |
| Digits | Required | At least one digit (0-9) |
| Special Characters | Required | At least one special character |
| Allowed Special Characters | ^_~ |
Safe for all databases |
| Max Consecutive Characters | 3 | Prevents repeating patterns |
Project Template¶
Project templates in the secrets category can override the organization policy. Configuration is done in Project Settings → Templates → Secrets Settings.
Database-Specific Rules¶
MazeVault automatically applies rules compatible with the target database system:
| Database | Min Length | Max Length | Special Characters | Notes |
|---|---|---|---|---|
| Oracle | 17 | 30 | ^_~ |
Oracle identifier restrictions |
| PostgreSQL | 17 | 128 | ^_~!@#$% |
Wide character support |
| MSSQL | 17 | 128 | ^_~!@#$% |
SQL Server compatibility |
| MongoDB | 17 | 128 | ^_~ |
SCRAM-SHA restrictions |
| MySQL/MariaDB | 17 | 128 | ^_~!@#$% |
Standard support |
| Redis | 17 | 128 | ^_~ |
ACL compatibility |
Password Rotation¶
Automatic Rotation¶
Passwords can be automatically rotated according to a configured interval:
- Rotation Interval: Configurable in days (default: 90 days)
- Schedule: Cron expression for precise scheduling
- Notifications: Configurable email notifications before rotation
- Retry: Automatic retry on failure (default: 3 attempts)
Rotation Workflow¶
- Validate connection to target system
- Pre-rotation synchronization
- Generate new password according to policy
- Store in MazeVault
- Post-rotation synchronization
- Update database/service
- Verify new password
Compliance Mapping¶
| Regulation | Control | Status |
|---|---|---|
| PCI DSS 8.3 | Minimum password length ≥ 12 characters | ✅ Met (min. 17) |
| PCI DSS 8.3.6 | Password rotation ≤ 90 days | ✅ Configurable |
| SOC 2 CC6.1 | Password complexity policy | ✅ Fully implemented |
| NIST 800-63B | Minimum entropy | ✅ Enforced by generator |