Protections and passwords

Until you define a Helix Core Server superuser, every user is a superuser and can run any Helix Core Server command on any file. After you start a new Perforce service, use:

$ p4 protect

as soon as possible to define a Helix Server superuser. To learn more about how p4 protect works, see Access authorization.

Without passwords, any user is able to impersonate any other Helix Server user, either with the -u flag or by setting P4USER to an existing Helix Server user name. Use of Helix Server passwords prevents such impersonation. See Passwords in the Helix Core Command-Line (P4) Guide.

To set (or reset) a user’s password, either

  • use p4 passwd username (as a Helix Core Server superuser), and enter the new password for the user, or
  • invoke p4 user -f username (also a superuser) and enter the new password into the user specification form.

The security-conscious Helix Server superuser also uses p4 protect to ensure that no access higher than list is granted to unprivileged users, p4 configure to set the security level to a level that requires that all users have strong passwords, and p4 group to assign all users to groups (and, optionally, to require regular changes of passwords for users on a per-group basis, to set a minimum required password length for all users on the site, and to lock out users for predefined amounts of time after repeated failed login attempts).


An alternate way to reduce security risk during initial setup or during a maintenance interval is to start the Helix Core Server using localhost:port syntax. For example:

$ p4d localhost:2019

This forces the server to ignore non-local connection requests.

For complete information about security, see Secure the server, including Recommended settings to configurables for security .