Secure your Zabbix logins from brute-force and dictionary attacks by defining password complexity requirements.
Enforcing an organization-wide password policy can be extremely unreliable if we don’t have a toolset to enforce these policies. By using native password complexity settings, we can provide an additional layer of security and ensure that our users follow our organization’s password complexity policies.
Define custom Zabbix login password complexity rules:
- Set the minimum password length in a range of 2 – 70 characters
- Define password character set rules
- A built-in password list secures users from dictionary attacks
- Prevent usage of passwords containing first or last names and easy to guess words
Check out the video to learn how to configure Zabbix password complexity requirements.
- As a super admin navigate to Administration → Authentication
- Define the minimum password length
- Select the optional Password must contain requirements
- Mark Avoid easy-to-guess passwords option
- Navigate to Administration → Users
- Select use for which we will change the password
- Press the Change password button
- Try using easy to guess passwords like zabbix or password
- Observe the error messages
- Define a password that fits the password requirements
- Press the Update button
Tips and best practices:
- It is possible to restrict access to the ui/data/top_passwords.txt file, which contains the Zabbix password deny list
- Passwords longer than 72 characters will be truncated
- Password complexity requirements are only applied to the internal Zabbix authentication
- Users can change their passwords in the user profile settings