Set Up Access to Sensitive Items
Vault allows you to set access to sensitive credentials by assigning security roles to your Vault users. It is better to start with roles having as few permissions as necessary and then grant access to specific items as needed.
Login Password Requirements
Vault does not store password information for authentication into the system but instead can be configured to use Active Directory (AD), a RADIUS server, or a local account. Ensure the password policies on those authentication systems require sufficiently complex passwords.
Maximum Login Failures
Vault can be configured to require the user to fill a Captcha after a number of failed login attempts. We recommend you set this number to 1, so that any time a bad password is entered, the Captcha is needed in order to proceed. In addition, configure your SIEM system to monitor for multiple failed authentication attempts.
Vault supports multifactor authentication to allow you to maintain the highest level of security within your Vault instance.