Setting global password control parameters

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the password aging time.

password-control aging aging-time

Optional.

90 days by default.

3. Set the minimum password update interval.

password-control password update interval interval

Optional.

24 hours by default.

4. Set the minimum password length.

password-control length length

Optional.

10 characters by default.

5. Configure the password composition policy.

password-control composition type-number type-number [ type-length type-length ]

Optional.

  • In non-FIPS mode, by default, a password must contain at least one type of characters and each type must contain at least one character.

  • In FIPS mode, by default, a password must contain four types of characters and each type must contain at least one character.

6. Configure the password complexity checking policy.

password-control complexity { same-character | user-name } check

Optional.

By default, the system does not perform password complexity checking.

7. Set the maximum number of history password records for each user.

password-control history max-record-num

Optional.

4 by default.

8. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts.

password-control login-attempt login-times [ exceed { lock | unlock | lock-time time } ]

Optional.

By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for one minute before trying again.

9. Set the number of days during which the user is warned of the pending password expiration.

password-control alert-before-expire alert-time

Optional.

7 days by default.

10. Set the maximum number of days and maximum number of times that a user can log in after the password expires.

password-control expired-user-login delay delay times times

Optional.

By default, a user can log in three times within 30 days after the password expires.

11. Set the authentication timeout time.

password-control authentication-timeout authentication-timeout

Optional.

60 seconds by default.

12. Set the maximum account idle time.

password-control login idle-time idle-time

Optional.

90 days by default.


[NOTE: ]

NOTE:

The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect for users that have been logged in or passwords that have been configured.