Managing Passwords
Fuzzball provides two password management workflows: users can change their own password through a self-service flow, and organization owners can reset a member’s password on their behalf. Both flows delegate to Keycloak, which enforces any configured password policy and handles reauthentication.
Password management applies only to users who authenticate directly with Fuzzball. If your organization uses an upstream identity provider (SSO or LDAP), manage passwords through that provider instead.
Users can change their own password at any time when they know their current password.
- Log into your Fuzzball UI
- Click your user avatar or name in the top right corner and select Change Password
- A dialog will open. Click Change Password to be redirected to the Keycloak authentication console in a new tab
- Follow the prompts to enter your current password and choose a new one
- After completing the change, you will be redirected back to Fuzzball
If your organization uses SSO or LDAP, you will see an informational message directing you to manage your password through your identity provider instead.
- Fuzzball CLI installed with an active context
Run the following command to get a link to the Keycloak password change page:
$ fuzzball profile set-password
Open the following URL in your browser to change your password:
https://auth.example.fuzzball.ciq.dev/realms/.../protocol/openid-connect/auth?...&kc_action=UPDATE_PASSWORD&...Open the URL in your browser. Keycloak will prompt you to reauthenticate and then set a new password. After completing the change, you will be redirected back to Fuzzball.
Organization owners can reset a member’s password without knowing the current one. By default
the reset password is permanent — the user is not required to change it. To force a password
change on next login, use the --require-update-password flag (CLI) or enable the equivalent
option in the web UI.
Before resetting a user’s password via the web UI, ensure you have:
- Organization owner permissions
Log into your Fuzzball UI as an organization owner
Click on the Gear icon in the top right of the dashboard header and select Manage organization
Navigate to the Users section in the left toolbar
Find the member whose password you want to reset and open their kebab menu (⋮)
Select Reset Password
In the dialog:
- Leave Auto-generate secure password checked to have Fuzzball create a unique temporary password, or uncheck it to enter one manually
- Click Reset Password
If the password was auto-generated, it will be shown once with a copy button. Save it before closing the dialog — it will not be shown again
Share the new password with the user. If you enabled the option to require a password change, they will be prompted to set a new password on their next login.
- Fuzzball CLI installed with an active context
- Organization owner permissions
Use the organization update-member subcommand with the member’s email address or UUID.
Auto-generate a new password:
$ fuzzball organization update-member user2@ciq.com --generate-password
⚠️ GENERATED PASSWORD (save this - it won't be shown again):
riJ@Kb#2#KpV8g*1S7_Q_4^MLp8I^N52
Password reset successfully.Auto-generate and require the user to change it on next login:
$ fuzzball organization update-member user2@ciq.com --generate-password --require-update-password
⚠️ GENERATED PASSWORD (save this - it won't be shown again):
riJ@Kb#2#KpV8g*1S7_Q_4^MLp8I^N52
The user will be required to change this password on next login.Set a specific password (interactive prompt):
$ fuzzball organization update-member user2@ciq.com --password
Password: ········
Confirm: ········Set a specific password (inline):
$ fuzzball organization update-member user2@ciq.com --password='TempPass1!'The same subcommands apply to organization owners using update-owner:
$ fuzzball organization update-owner user3@ciq.com --generate-passwordShare the new password with the user.