Change Passwords

Overview

Authorized users can change passwords that are stored in the Safe through the Password Vault Web Access. These passwords can be changed manually or replaced by a new password that is randomly generated by the Central Policy Manager.

The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. Therefore, passwords that are managed by the CPM do not need to be specified manually.

Passwords are changed automatically by the CPM in the following scenarios:

Expiration period – Passwords that have an expiration period assigned to them are changed at the end of the specified period. This is configured in the Master Policy with the Require password change every X days rule.
One-time and exclusive passwords – Passwords that are defined as one-time passwords or that are configured for Exclusive Account mode are changed after every use. These are configured in the Master Policy with the Enforce one-time password access and Enforce check-in/check-out exclusive access rules. When a one-time or exclusive account that is a member of a group has been used and the exclusive account has been checked-in to the Safe again, the password values for the entire group will be changed. These passwords are changed after accounts are checked-in manually or automatically after a minimum validity period defined in the Master Policy or based on the request timeframe described below.
Request timeframe – A user requests to connect to an account or display a password (dual-control) for a certain timeframe, and that request is approved. Once the timeframe expires, the password is changed (if the user already released the account, it is changed upon release).
Manual initiation – after the user clicks ‘change’ or ‘reconcile’ and initiates an immediate change or reconcile CPM operation.

If you decide to specify a password manually, ensure that it is secure by using a combination of letters and numbers. If a predefined platform is enforced, the password complexity requirements are displayed in the Change Password window so that you know which types of characters to include or exclude. In addition, if the CPM prevents you from reusing a certain number of predefined passwords, that is displayed too.

Change passwords that are managed automatically by the CPM

Users who have the following Safe member authorizations can initiate a password change process by the CPM on multiple passwords:

Initiate CPM password management operations

In addition, users with the following authorization can specify the new password that will be used:

Specify next password value

Change the password immediately with the CPM

Authorized users can initiate an immediate password change in which the CPM will change the password to a new random password. To perform this task, users require the following Safe member authorizations:

Initiate CPM password management operations

Specify the password for the CPM to use

Authorized users can initiate a password change process in an account that is managed by the CPM and specify the new password that will be used. The password can be changed in the Vault and reconciled on the remote machine by the CPM during the next CPM process. To perform this task, users require the following Safe member authorizations:

Initiate CPM password management operations
Specify next password value

Change the password in the Vault

Users who have the following Safe member authorization can change passwords that are managed manually:

Update password value