Security > Passwords > User Passwords
User Passwords
User passwords must be 10 characters long, which is enforced in the following scenarios:
When users are created, including the initial Administrator user
When a password is changed
Users can be created without passwords in the following situations:
Active Directory/SSO provisioned users
Users that are solely created to support application keys
Configuring Your Initial Password
The Administrator user is created when ThingWorx starts for the first time. A password must be set in the platform-settings.json file that will be used when the Administrator user is created. Add the following AdministratorUserSettings to your platform-settings.json file (in PlatformSettingsConfig) along with a password that is at least 14 characters long. Reference platform-settings.json Configuration Options for more information on placement:
The password, which should not be easily guessed or a known, common password, is recommended to be at least 14 characters in length and should include a mix of uppercase and lowercase letters, numbers, and special characters.
Do not copy and paste the sample below, as it may cause bad formatting in your platform-settings.json. Instead, click here and copy from the file.

"PlatformSettingsConfig": {
"AdministratorUserSettings": {
"InitialPassword": "changeme"
The default location for platform-settings.json is located at: /ThingworxPlatform/platform-settings.json. If the THINGWORX_PLATFORM_SETTINGS environment variable is set, it will use that location instead: ${THINGWORX_PLATFORM_SETTINGS}/platform-settings.json.
It is HIGHLY recommended to:
Use a strong password for your initial Administrator password per NIST guidelines.
Change this password after logging in for the first time to another strong password.
Delete the password from the platform-settings.json file after the Administrator user has been created as it is no longer needed.
If Tomcat fails to start and reports the error message: Check the InitialPassword setting in the AdministratorUserPassword section in platform-settings.json. Password must be a minimum of 10 characters, check the following:
The password setting exists in platform-settings.json
The password is valid (14 or more characters by default, but can be changed in the User Management Subsystem)
The platform-settings.json file is formatted correctly - bad formatting could lead to errors
This process is only applicable for the initial creation of the Administrator user. After changing the password, it will not revert back during a restart. It is recommend to remove this setting from the platform-settings.json file after the Administrator user has been successfully created and its password is changed.