Enabling password control
To enable password control functions, you need to:
Enable the password control feature in system view. Password control configurations take effect only after the password control feature is enabled globally.
Enable a specific password control function. The following password control functions need to be enabled individually after the password control feature is enabled globally:
Password aging
Minimum password length
Password history
Password composition checking
You must enable a function for its relevant configurations to take effect.
To enable password control:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable the password control feature. | password-control enable | Disabled by default. |
3. Enable a password control function individually. | password-control { aging | composition | history | length } enable | Optional. All of the four password control functions are enabled by default. |
After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command.
For security purposes, the system prompts the Telnet, SSH, and terminal users to change their passwords the first time they log in to the device after the global password control is enabled. Because FTP users can only have their passwords changed by the administrator, if the administrator does not change passwords for the FTP users after the global password control is enabled, the FTP users cannot log in to the device.
About the minimum password length:
When global password control is disabled, the minimum password length is one character.
When global password control is enabled but the minimum password length restriction function and FIPS mode are disabled, the minimum password length is four characters, and the password must have at least four different characters.
When global password control and FIPS mode are enabled but the minimum password length restriction function is disabled, the minimum password length is eight characters, and the password must have at least four different characters.
When global password control and the minimum password length restriction function are both enabled, the minimum password length is that configured by the password-control length length command. However, the password must meet the FIPS requirements.
About password history control:
When global password control is disabled, or when global password control is enabled but the password history control is disabled, the device does not record history passwords and allows a user to set a new password the same as a previously used one.
When global password control and password history control are both enabled, the system records history passwords for users. When a user changes the password, the system compares the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password.