> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ocient.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Database Password Security Settings

export const OcientDataIntelligencePlatform = "OcientAIQ™ Unified Data Platform";

export const Ocient = "Ocient®";

You can manage password security in the {OcientDataIntelligencePlatform} by using a variety of settings and managing user states.

## Password Security Settings

{Ocient} includes password security settings to meet specific security requirements or preferences. Five settings are available to configure your password security.

| **Security Setting**             | **Description**                                                                                                                                                                                                                                                                                                                                              |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `password_minimum_length`        | The minimum length of passwords. The maximum password length supported by the Ocient System is 32.                                                                                                                                                                                                                                                           |
| `password_complexity_level`      | An integer value representing the password complexity algorithm. <br />Supported values are:<br />`1` — Level 1. The password must contain at least one upper case character, lower case character, and number.<br />`2` — Level 2. In addition to the requirements specified in level 1, the password must contain at least one non-alphanumeric character. |
| `password_no_repeat_count`       | The number of unique passwords that a user must use before they can reuse a password. Even if this setting is set to `0`, when the system determines that the password lifetime has been reached, you must change the password to a unique value.                                                                                                            |
| `password_lifetime_days`         | The password must be changed after this number of days. After the password is older than this period, the user changes to the `PASSWORD_EXPIRED` state on their next login.                                                                                                                                                                                  |
| `password_invalid_attempt_limit` | The number of login attempts with an invalid password before a user changes to the `DISABLED` state.                                                                                                                                                                                                                                                         |

<Info>
  Except for the `password_no_repeat_count` setting, a value of 0 for any of these settings means that the system ignores that setting.
</Info>

### Password Security Setting Hierarchy and Precedence

You can set all these settings at the system, database, or group levels. The Ocient System uses the most restrictive value. For example, if `password_minimum_length` is `8` at the system level, `10` at the database level, and `12` at the group level, the system applies the value `12` to the user.

<Info>
  You can only add a user to a group after you create the user in the system. Upon user creation, `password_minimum_length`, `password_complexity_level`, and `password_no_repeat_count` settings are based only on system- and database-level settings.
</Info>

## System Catalog Table for Security Settings

The `sys.security_settings` system catalog table shows current security settings. The table contains settings for only databases and groups if any settings are non-zero.

After setting the `password_invalid_attempt_limit` value, you can inspect the value using the `sys.security_settings` system catalog table.

```sql SQL theme={null}
SELECT password_invalid_attempt_limit FROM sys.security_settings;
```

<Info>
  The `sys.users` system catalog table contains information about users, their current state, and details about their security status, such as the last time the password was updated or the number of failed login attempts.
</Info>

## Password Recovery

The Ocient System does not enable you to recover a password. If you forget your password, contact the user who has the Security Administrator or Database Administrator role. Users with those roles can set a new password.

## User States

Ocient local users, not SSO-based users, are in one of these states:

* `ENABLED`
* `DISABLED`
* `PASSWORD_EXPIRED`

### `ENABLED` State

Enabled users have normal access privileges to the system. They can connect and execute SQL statements. This state is the default state for all users.

### `DISABLED` State

A disabled user cannot connect to the system, and if they are currently connected, they cannot execute any SQL statements. Users become disabled automatically if they exceed the `password_invalid` number of failed password attempts.

An administrator must set the state of the user to `ENABLED` for the user to resume access.

### `PASSWORD_EXPIRED` State

This state enables a user to log on. However, the only SQL statement they can execute is `ALTER USER <example_user> SET PASSWORD='yyyy'`. The user receives a warning that their password is expired when they authenticate.

Whenever the `password_lifetime_days` number of days has elapsed after the last time the password changed, the system automatically transitions a user to the `PASSWORD_EXPIRED` state on their next login.

You can inspect the last password change timestamp in the `password_updated_at` column in the `sys.users` system catalog table.

### Change User State

To change the state of the user to these different states, use the [ALTER USER](/users-groups-and-service-classes#alter-user) SQL statement.

## Related Links

[Authentication Methods](/authentication-methods)

[Data Control Language (DCL) Statement Reference](/data-control-language-dcl-statement-reference)

[ALTER USER](/users-groups-and-service-classes)

[Cluster and Node Management](/cluster-and-node-management)

[Users, Groups, and Service Classes](/users-groups-and-service-classes)
