A Secure by Default Philosophy Guiding Perforce P4

Important Security Announcement for P4 Users

Security expectations for version control infrastructure have evolved dramatically over the years. While Perforce P4 has always empowered administrators with deep configurability, the default configurations shipped with previous versions of P4 are no longer sufficient. With the upcoming P4 2026.1 (scheduled for availability in May), we are implementing a Secure by Default posture designed to enforce best practices when protecting the source code and binary assets stored in P4.

Whether or not you choose to upgrade to the P4 2026.1 release, we strongly recommend all P4 users update the security configurations affected to keep their assets secure and to be able to upgrade to the latest P4 releases without issue. For administrators of publicly accessible or multi-server P4 instances, this should be a priority.  

Share this blog with your P4 admins to provide guidance on the affected security configurations, the steps required to avoid lockout before security updates are applied, and how to upgrade to P4 2026.1 or later releases successfully. 

What is changing in P4 2026.1

P4 2026.1 automatically applies the recommended security configurations below. For upgrades, admins should follow the What to Do Before You Upgrade section below to avoid user lockout or other potential issues. For new installs, this means any P4 Server on release 2026.1 or later will no longer require manual configuration of security settings to become compliant with our recommendations.

Important: For admins that are not upgrading to 2026.1 but revising security configurations to adhere to our best practices, you must ensure at least one super user has a strong password set before setting the security level to 4. Necessary steps to follow are detailed in our P4 Server Administration Documentation.

The defaults being applied in 2026.1 include:

• Security level 4. security=4 enforces ticket-based authentication, strong passwords, and disables the legacy built-in “remote” user.
• No automatic user creation. The dm.user.noautocreate configurable is set so new users cannot be created simply by attempting to connect. Admins provision accounts explicitly.
• No self-service initial passwords. The dm.user.setinitialpasswd configurable is disabled. Only a super user can set the first password on a new account, closing the account-takeover path on dormant or never-logged-in users.
• Forced password reset on first login. The dm.user.resetpassword configurable ensures new users log in once with an admin-issued credential, then immediately set their own.
• Authenticated user listing. The run.users.authorize configurable prevents unauthenticated enumeration of the user directory.
• Hidden server fingerprinting data. The dm.info.hide and dm.user.hideinvalid configurables remove the version, license, internal IP, and username-validity signals that attackers use during reconnaissance.
• Protected key/value storage. The dm.keys.hide configurable restricts read access to stored keys so non-admin users cannot enumerate them.
• Role checks for multi-server deployments. The server.rolechecks configurable prevents a server from acting in a P4AUTH capacity without explicit configuration. 

What to Do Before You Upgrade

Because 2026.1 enforces stronger authentication by default, it is critical to ensure all of your users adhere to strong password requirements before you update.

All necessary steps to follow before you update are detailed in our P4 Server Administration Documentation.

How to Upgrade to P4 2026.1 and later

Upgrade steps for all supported releases of P4 are detailed in our P4 Server Administration Documentation.

Security is a Community Responsibility

Secure defaults aren’t just an update we ship. Security is a commitment we will keep and maintain, release after release.  

We put extreme value on the community of users that make our products better, safer, and continually aligned to the needs of today’s modern workflows.  

We remain committed to actively engaging with independent security researchers and will continue to promote transparency and education to foster industry-wide advances that help secure our environments.