Custom Password Policy

nevisAdmin 4 enforces a password policy for local users. By default, passwords must be at least 6 characters long with no further restrictions. You can tighten these requirements using the properties described on this page.

info

The built-in admin user always requires a minimum password length of 16 characters, regardless of the minLength setting.

Character and length requirements are enforced when a password is set or changed. Existing passwords are not retroactively invalidated when you tighten the policy.

Password expiration is evaluated on every login. Once a password has expired, the user cannot log in until the password is changed. When enabling expiration on an existing system, users without a password-change date are treated as already expired.

The weak-password list lets administrators reject commonly used or breached passwords at change time. nevisAdmin 4 compares each new password against the entries in the file and rejects exact matches.

caution

The weak-password list is fully loaded into memory at startup. Large lists increase the memory footprint of nevisAdmin 4 — size the file accordingly.

Configure Password Policy via Helm Chart

For Kubernetes deployments, set the following values in values.yaml or via --set when running helm upgrade:

Helm Value	Default	Description
`nevisAdmin4.passwordPolicy.minLength`	6	Minimum number of characters required.
`nevisAdmin4.passwordPolicy.minLower`	0	Minimum number of lowercase characters required.
`nevisAdmin4.passwordPolicy.minUpper`	0	Minimum number of uppercase characters required.
`nevisAdmin4.passwordPolicy.minNumeric`	0	Minimum number of numeric (digit) characters required.
`nevisAdmin4.passwordPolicy.minNonAlnum`	0	Minimum number of non-alphanumeric (special) characters required. Any character that is not a letter or digit counts as a special character.
`nevisAdmin4.passwordPolicy.passwordExpiration`	0 (disabled)	Password expiration period for local users. Accepted suffixes: `d` (days), `h` (hours), `m` (minutes), `s` (seconds) — for example, `90d`. Setting to `0` or leaving unset disables expiration.
`nevisAdmin4.passwordPolicy.weakPasswordPvc`	—	Name of an existing PVC containing the weak-password list. When set, the chart mounts the PVC into the nevisAdmin 4 container. The file is read once at startup; redeploy to apply changes to the list.
`nevisAdmin4.passwordPolicy.weakPasswordFile`	pwlist.txt	Name of the file inside the PVC that contains the weak-password list.

Set Up Weak Password File in Kubernetes

In Kubernetes deployments, the weak password file cannot be placed directly on the filesystem. Instead, store the file in a PersistentVolumeClaim (PVC) and reference it via the Helm chart. The chart mounts the PVC into the nevisAdmin 4 container and configures weakPasswordFile accordingly.

Step 1: Create PVC

Create a PVC to hold the password file:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pwlist-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Mi

kubectl apply -n <namespace> -f pvc.yaml

note

ReadWriteOnce is sufficient for a single-replica nevisAdmin 4 deployment. If you plan to run multiple replicas, use ReadWriteMany instead — this requires a storage class that supports it.

Step 2: Copy Weak Password File into PVC

Prepare the weak-password file locally, with one password per line:

123456
password
admin
password123
qwerty
letmein

Start a short-lived helper Pod that mounts the PVC, copy the file in with kubectl cp, then delete the Pod. The destination filename must match the nevisAdmin4.passwordPolicy.weakPasswordFile Helm value (default: pwlist.txt):

apiVersion: v1
kind: Pod
metadata:
  name: pwlist-helper
spec:
  containers:
    - name: helper
      image: busybox
      command: ["sleep", "3600"]
      volumeMounts:
        - name: pw-storage
          mountPath: /data
  volumes:
    - name: pw-storage
      persistentVolumeClaim:
        claimName: pwlist-pvc

kubectl apply -n <namespace> -f pwlist-helper.yaml
kubectl cp ./pwlist.txt <namespace>/pwlist-helper:/data/pwlist.txt
kubectl delete pod pwlist-helper -n <namespace>

The PVC retains the data after the helper Pod is deleted. To update the list later, repeat the same steps — recreate the helper Pod, run kubectl cp, then delete the Pod again. Restart nevisAdmin 4 to pick up the changes.

Step 3: Configure nevisAdmin 4

Add the PVC reference to values.yaml and run helm upgrade as described in Kubernetes Upgrade:

helm upgrade nevisadmin4 nevisadmin4 \
  --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
  --namespace <namespace> \
  --reuse-values \
  -f values.yaml

Relevant values.yaml entries:

nevisAdmin4:
  passwordPolicy:
    weakPasswordPvc: pwlist-pvc

If you used a filename other than the default pwlist.txt, also set weakPasswordFile:

nevisAdmin4:
  passwordPolicy:
    weakPasswordPvc: pwlist-pvc
    weakPasswordFile: my-weak-passwords.txt

Configure Password Policy in Classic VM Deployment

Set the following properties in /var/opt/nevisadmin4/conf/nevisadmin4.yml.

Example configuration:

authentication:
  password:
    policy:
      minLength: 8
      minLower: 1
      minUpper: 1
      minNumeric: 1
      minNonAlnum: 1
      passwordExpiration: 90d
      weakPasswordFile: /var/opt/nevisadmin4/conf/weak-passwords.txt

The following properties are available:

Property	Default	Description
`authentication.password.policy.minLength`	6	Minimum number of characters required.
`authentication.password.policy.minLower`	0	Minimum number of lowercase characters required.
`authentication.password.policy.minUpper`	0	Minimum number of uppercase characters required.
`authentication.password.policy.minNumeric`	0	Minimum number of numeric (digit) characters required.
`authentication.password.policy.minNonAlnum`	0	Minimum number of non-alphanumeric (special) characters required. Any character that is not a letter or digit counts as a special character.
`authentication.password.policy.passwordExpiration`	0 (disabled)	Password expiration period for local users. Accepted suffixes: `d` (days), `h` (hours), `m` (minutes), `s` (seconds) — for example, `90d`. A plain integer without a suffix is interpreted as days. Setting to `0` or leaving unset disables expiration.
`authentication.password.policy.weakPasswordFile`	—	Absolute path to a plain-text file containing forbidden passwords, one per line. Any password matching an entry in the file is rejected. The file is read once at startup; restart nevisAdmin 4 to apply changes to the file.

Restart nevisAdmin 4 after making changes:

nevisadmin4 stopService
nevisadmin4 startService

Custom Password Policy

Configure Password Policy via Helm Chart​

Set Up Weak Password File in Kubernetes​

Step 1: Create PVC​

Step 2: Copy Weak Password File into PVC​

Step 3: Configure nevisAdmin 4​

Configure Password Policy in Classic VM Deployment​