Skip to content
For Self-Managed AI Platform users running v11.1, see the on-premise platform documentation

Password Policies

DataRobot can be configured to enforce restrictions on users' passwords. To configure these options, refer to the Tuning Datarobot Environment Variables section of this guide.

Default Password Policies

By default, DataRobot is configured so that all users' passwords must meet the following requirements: * Contains only printable ASCII characters * Must be between 8 and 512 characters in length * Must contain at least one capital letter * Must contain at least one number * Cannot be the same as the user's username

The default password policies can be overridden via the PASSWORD_POLICIES config. The config is of array type with the objects in the following format: 

{
    "policyType": "The policy type", // OneOf[PolicyType]
    "description": "Description of the policy", // str 
    "value": "The value to enforce. The context depends on the policy type", // OneOf[string, int, array], optional
    "options": "The options to apply, The context depends on the policy type" // OneOf[string, int, array], optional
}

The supported PolicyTypes:

  • previousPasswordsForbidden - requires the password to be different from the last value previously used passwords. If a user tries to reuse a password before value password changes, it will be rejected. e.g. 

    {
    "policyType": "previousPasswordsForbidden",
    "description": "previous passwords policy",
    "value": 3
}

  • validCharacterSet - describes which characters are valid to include in a password. If a user tries to set a password using characters other than these, it will be rejected

e.g. 

{
    "policyType": "validCharacterSet",
    "description": "supported characters policy",
    "value": "abcdef0123456789"
}

  • requiredCharacterSet - the characters which are required in the policy. The password has to include at least value characters from the options set. For example, can be used to ensure the password has at least one capital letter. e.g. 

    {
    "policyType": "requiredCharacterSet",
    "description": "required characters policy",
    "value": 1,
    "options": ["A", "B", "C", "D", ...]
}

  • minimumLength - requires the password to have at least value number of characters. e.g. 

    {
    "policyType": "minimumLength",
    "description": "minumum password length policy",
    "value": 8
}

  • maximumLength - requires the password to have no more than value number of characters. e.g. 

    {
    "policyType": "maximumLength",
    "description": "maximum password length policy",
    "value": 256
}

  • usernameForbidden - requires the password to not be identical to the username. e.g. 

    {
    "policyType": "usernameForbidden",
    "description": "username is not password policy"
}

An override example: 

# helm chart values snippet
core:
  config_env_vars:
    PASSWORD_POLICIES: '[{"policyType":"previousPasswordsForbidden","description":"previous passwords policy","value":3}]'

Password Expiration

Passwords can be configured to expire a certain number of days after they are set. If a user attempts to login to DataRobot using an expired password, they will be prompted to change their password before they can access the application.

Login with expired password

To enable password expiration, set the PASSWORD_EXPIRATION_TIME setting in core.config_env_vars to a non-zero number. This value is the number of days after which a password will expire.

# helm chart values snippet
core:
  config_env_vars:
    PASSWORD_EXPIRATION_TIME: 180

When a user's password is about to expire, they will be warned when they login and every time they load DataRobot in a new browser tab.

Password expiration warning

How much notice users are given before their password expires can be configured using PASSWORD_EXPIRATION_WARNING_TIME setting in core.config_env_vars. This value controls the number of days before a user's password expires that DataRobot will begin warning them. For example, to show warnings to a user up to two weeks before their password expires:

# helm chart values snippet
core:
  config_env_vars:
    PASSWORD_EXPIRATION_WARNING_TIME: 14

Password Reuse

If password expiration is enabled, DataRobot will block users from reusing passwords. How many recently used passwords are blocked is controlled by the PASSWORD_HISTORY_LENGTH setting in core.config_env_vars. This number does not include the user's current password. For example, to prevent users from reusing their 3 most recent passwords:

# helm chart values snippet
core:
  config_env_vars:
    PASSWORD_HISTORY_LENGTH: 3

When a user attempts to change their password to a previously used password, they will see:

Password reuse prevented