Overview
Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail.
Minimum password length
By setting a minimum password length, you can enforce users to use passwords long enough for system security. If a user specifies a shorter password, the system rejects the setting and prompts the user to re-specify a password.
Minimum password update interval
This function allows you to set the minimum interval at which users can change their passwords. If a non-manage level user logs in to change the password but the time that elapses since the last change is less than this interval, the system denies the request. For example, if you set this interval to 48 hours, a non-manage level user cannot change the password twice within 48 hours. This prevents users from changing their passwords frequently.
NOTE: This function is not effective on users of the manage level. For information about user levels, see Fundamentals Configuration Guide. This function is not effective on a user who is prompted to change the password at the first login or a user whose password has just been aged out. | ||
Password aging
Password aging imposes a lifecycle on a user password. After the password aging time expires, the user needs to change the password.
If a user enters an expired password when logging in, the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be a valid one and the user must enter exactly the same password when confirming it.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified period. If so, the system notifies the user of the expiration time and provides a choice for the user to change the password. If the user provides a new password that is complexity-compliant, the system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the current password.
NOTE: Telnet, SSH, and terminal users can change their passwords by themselves, while FTP users can only have their passwords changed by the administrator. | ||
Login with an expired password
You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message.
You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the latest record will overwrite the earliest one.
Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password guessing.
If an FTP or virtual terminal line (VTY) user fails authentication due to a password error, the system adds the user to a password control blacklist. If a user fails to provide the correct password after the specified number of consecutive attempts, the system takes action as configured:
Prohibiting the user from logging in until the user is removed from the password control blacklist manually.
Allowing the user to try continuously and removing the user from the password control blacklist when the user logs in to the system successfully or the blacklist entry times out (the blacklist entry aging time is one minute).
Prohibiting the user from logging in within a configurable period of time, and allowing the user to log in again after the period of time elapses or the user is removed from the password control blacklist.
A password control blacklist can contain up to 1024 entries.
A login attempt using a wrong username will undoubtedly fail but the username will not be added to the password control blacklist.
Users accessing the system through the console interface are not blacklisted, because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.
Password composition checking
A password can be a combination of characters from the following four types:
Uppercase letters A to Z
Lowercase letters a to z
Digits 0 to 9
32 special characters: blank space, tilde (~), back quote (`), exclamation point (!), at sign (@), pound sign (#), dollar sign ($), percent sign (%), caret (^), ampersand sign (&), asterisk (*), left parenthesis ("("), right parenthesis (")"), underscore (_), plus sign (+), minus sign (-), equal sign (=), left brace ({), right brace (}), vertical bar (|), left bracket ([), right bracket (]), back slash (\), colon (:), quotation marks ("), semi-colon (;), apostrophe ('), left angle bracket (<), right angle bracket (>), comma (,), dot (.), and slash (/)
Depending on the system security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters that are from each type in the password.
There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing the number of character types that a password must at least contain. Level 1 means that a password must contain characters of one type, level 2 at least two types, and so on.
In FIPS mode, a password must contain four types of characters and each type contains at least one character.
When a user sets or changes the password, the system checks if the password meets the composition requirement. If not, the system displays an error message.
Password complexity checking
A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the system refuses the password and displays a password configuration failure message.
You can impose the following password complexity requirements:
A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is weak.
No character of the password is repeated three or more times consecutively. For example, password a111 is weak.
Password display in the form of a string of asterisks (*)
For the sake of security, the password a user enters is displayed in the form of a string of asterisks (*).
Authentication timeout management
The authentication period is from when the server obtains the username to when the server finishes authenticating the user's password. If a Telnet user fails to log in within the configured period of time, the system tears down the connection.
Maximum account idle time
You can set the maximum account idle time to make accounts staying idle for this period of time become invalid and unable to log in again. For example, if you set the maximum account idle time to 60 days and user using the account test has never logged in successfully within 60 days after the last successful login, the account becomes invalid.
Logging
The system logs all successful password changing events and the events of adding users to the password control blacklist.