Force Password Change

Hi All,

Recently got Icinga set-up and have started to provide my team with their login details.

As part of this I’ve been instructing them to change their passwords on login, however I was wondering if there was a way to enforce this? Ideally I’d like to be able to do the below;

  • Force password change on first login
  • Make all passwords expire every 90 days and thus be forced to change them
  • Enforce password rules such as character limits and special characters


1 Like

I’m not sure that there is a way off-hand to do this, but you could add an LDAP/AD backend for authentication.

Assuming that’s your corporate password policy, you should get the same effect.

Thanks Ben, unfortunately our Org isn’t allowing any new LDAP/AD integrations and is requiring application authentication go via our SSO SAML authentication, which Icinga currently doesn’t support (as far as Im aware).

Even if Icinga Web 2 does not support it, you can use it via Apache authentication and External authentication in Icinga Web 2. But there would still be a need for AD/LDAP integration for group membership for role mapping in most cases.

And for the original question no there is no password policy management in Icinga Web 2.

1 Like

Forcing a password change on first login is sensible. But I would strongly discourage you from forcing further changes every 90 days. Periodic forced changes are known to be harmful to security, because they encourage people to choose bad passwords. They also don’t protect against most security risks. (In particular, a change every 90 days means that somebody who acquires a password has up to 90 days to do harm, and somebody who gets the encrypted password file has 90 days to crack it. That’s almost the same as giving them infinite time. So you’re annoying your users at no benefit to security.)