Change all standard passwords of built-in users immediately after installation. Use good passwords.

When providing a password to command line tools in automated procedures, prefer the environment variable REPOSITORY_PASSWORD to the -p command line argument. If possible, retrieve the password immediately before calling the command line tool from a secure password vault. Make sure that the environment variable does not remain set for too long.

The users' passwords are stored by the Content Servers as salted hashes. The hash algorithm can be configured using the server property cap.server.login.passwordHashAlgorithm, which should be set to bcrypt:N where N is the load factory of the bcrypt password hashing algorithm. Higher values of N slow down the hashing performance and improve security. Set N to at least 10 and choose higher values if the CPU performance allows it.

The passwords can be encrypted additionally by using the tool cm encryptpasswords as described in Section 3.13.2.7, “Encryptpasswords” in Content Server Manual.

Some passwords stored in configuration files can be encrypted using the tool encryptpasswordproperty as described in Section 3.13.1, “Information” in Content Server Manual. This applies to:

Passwords for connecting to an LDAP server, to a MongoDB or to a Solr cannot be protected in the same manner.