Skip to main content
  • Bravura Security Fabric Documentation
  • Pass
  • Mass Password Reset

Mass Password Reset

About mass password reset

Mass Password Reset (MPR) is a Bravura Pass capability that automates bulk password rotation across selected accounts. It is designed to support rapid credential resecuring during breach response, compliance events, or policy-enforced password updates.

When triggered, MPR performs automated password resets based on defined rotation policies. Newly generated credentials are written directly into the credential vault (Bravura Safe), where they are stored in encrypted form and tracked through vault audit logging. This process forms part of Bravura Security’s integrated credential rotation strategy and centralized password management architecture.

Terminology

The following terms are used in relation to mass password reset:

  • Audit log/trail – A chronological record of system events, including password resets, used for monitoring, investigation, and compliance evidence.

  • Compromised credentials – A trigger for password resets, a credential is considered compromised when an unauthorized party gains access to a users account login credentials.

  • Credential rotation – Routine or event-driven password or key changes intended to mitigate unauthorized access risks.

  • Credential vault – Secure repository for centrally storing, encrypting, and auditing credentials such as passwords and keys.

  • Deprovision – Removal of user access and credentials from systems or applications as part of offboarding workflows.

  • Enrollment – Registration of users or accounts into an IAM system. In MPR, enrollment occurs when account credentials are saved in the vault.

  • Mass password reset – Simultaneous password reset across multiple user accounts in response to a breach, policy update, or compliance requirement. After passwords are reset, they are securely stored in a credential vault.

  • Onboarding – The process of setting up new users with the necessary accounts, permissions, and credentials when they join an organization.

  • Offboarding.  – In the context of Mass Password Reset, offboarding is the process of transferring Bravura Safe secrets from a departing employee to a different user. The offboarded user will no longer have access to those secrets after leaving the organization.

  • Provision – Creation and configuration of new accounts during onboarding.

When to use mass password reset

Mass Password Reset is appropriate in scenarios including:

  • Security breaches or suspected compromises

    Reset passwords for all accounts that may have been exposed to prevent further intrusion.

  • Periodic security policy compliance

    Apply organization-wide or regulatory password rotation requirements.

  • Employee offboarding involving shared or service accounts

    Reset shared credentials and reassign Bravura Safe secrets when a user with access leaves the organization.

  • Password policy changes

    Enforce immediate updates when new password complexity rules or rotation intervals are introduced. 

  • Regulatory compliance requirement

    Satisfy audit or legal requirements that mandate documented password changes within defined intervals.

Architecture

A Mass Password Reset environment consists of:

  • Bravura Security Fabric 12.9.0+ with Bravura Pass and Bravura Identity licenses

  • A directory system that is a source of profiles; for example, Active Directory, Entra ID (Azure), LDAP

  • Target systems managed by Bravura Pass, and where passwords will be rotated

  • The Bravura Safe credentials vault

    You set up a dedicated team in Bravura Safe for users affected by MPR operations. Team members also have accounts in the directory system.

  • For the integration of Bravura Safe with Bravura Security Fabric, you install the following on the Bravura Security Fabric server:

    • Bravura Safe CLI

    • Connectors for Bravura Safe User Management (2025) and Bravura Safe Vault Management (2025)

    • Python packages

    • (Optional) Bravura Safe Desktop App

The setup steps are detailed in Implementing mass password reset.

Key files

The Mass Password Reset feature requires the installation of a Scenario.mass_password_reset component that installs the following files on the Bravura Security Fabric server:

component/Default/Functional/mass_password_reset/
├── mass_password_reset.py 		# Mass Password Reset CLI entry point
├── mass_onboard.py 			# Mass Password Reset Onboard CLI entry point
├── single_user_offboard.py 	# Single user offboard CLI entry point
├── lib/
│ ├── mass_password_reset.py 	
│ ├── mass_onboard.py 			
│ ├── single_user_offboard.py 	
│ ├── db.py 					
│ ├── rest.py 					
│ ├── rest_functions.py 		
│ ├── report.py 				
│ └── util.py 					

component/Default/Scenario/mass_password_reset/
├── common.py 					
├── data/config.csv 			
└── wfreq.py

Workflow overview

Once set up and configured, the mass password reset workflow consists of two stages:

  1. Onboarding privileged accounts into Bravura Security Fabric, defining the scope of managed accounts.

  2. Bulk resecuring passwords, including rotating credentials and storing them in the Bravura Safe vault.

In this section: