User Passwords
Managing User Passwords
User passwords must be 14 to 128 characters long. The minimum length can be configured in the User Management Subsystem. Password length is enforced in the following scenarios:
When users are created, including the initial Administrator user
When a password is changed
To enhance security, make sure your passwords are not easy to guess and do not contain common words. Create passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.
Users can be created without passwords in the following situations:
Active Directory/SSO provisioned users
Users that are solely created to support application keys
Configuring Your Initial Password
The Administrator user is created when ThingWorx starts for the first time. A password must be set in the platform-settings.json file that will be used when the Administrator user is created. Add the following AdministratorUserSettings to your platform-settings.json file (in PlatformSettingsConfig) along with a password that is at least 14 characters long. Reference platform-settings.json Configuration Options for more information on placement:
Do not copy and paste the sample below, as it may cause bad formatting in your platform-settings.json. Instead, click here and copy from the file.

"PlatformSettingsConfig": {
"AdministratorUserSettings": {
"InitialPassword": "<changeme>"
The default location for platform-settings.json is: /ThingworxPlatform/platform-settings.json. If the THINGWORX_PLATFORM_SETTINGS environment variable is set, it will use that location instead: ${THINGWORX_PLATFORM_SETTINGS}/platform-settings.json.
PTC strongly recommends:
Using a strong password, complying with NIST Authenticator and Verifier Requirements.
Changing this password after logging in for the first time to another strong password.
Deleting the password from the platform-settings.json file after the Administrator user has been created, as it is no longer needed.
If Tomcat fails to start and reports the error message: Check the InitialPassword setting in the AdministratorUserPassword section in platform-settings.json. Password must be a minimum of 14 characters, check the following:
The password setting exists in platform-settings.json.
The password is valid (14 or more characters by default, but can be changed in the User Management Subsystem).
The platform-settings.json file is formatted correctly - bad formatting could lead to errors.
This process is only applicable for the initial creation of the Administrator user. After changing the password, it will not revert back during a restart. It is recommended to remove this setting from the platform-settings.json file after the Administrator user has been successfully created and its password is changed.
Was this helpful?