Setting global password control parameters
The password expiration time, minimum password length, and password composition policy can be configured in system view, user group view, or local user view. The password settings with a smaller application scope have higher priority. Global settings in system view apply to the passwords of the local users in all user groups if you do not configure password policies for these users in both local user view and user group view.
The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect on users that have been logged in or passwords that have been configured.
To set global password control parameters:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the password expiration time. | password-control aging aging-time | The default setting is 90 days. |
3. Set the minimum password update interval. | password-control update-interval interval | The default setting is 24 hours. |
4. Set the minimum password length. | password-control length length |
|
5. Configure the password composition policy. | password-control composition type-number type-number [ type-length type-length ] |
|
6. Configure the password complexity checking policy. | password-control complexity { same-character | user-name } check | By default, the system does not perform password complexity checking. |
7. Set the maximum number of history password records for each user. | password-control history max-record-num | The default setting is 4. |
8. Specify the maximum number of login attempts and the action to be taken when a user fails to log in after the specified number of attempts. | password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] | By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again. |
9. Set the number of days during which a user is notified of the pending password expiration. | password-control alert-before-expire alert-time | The default setting is 7 days. |
10. Set the maximum number of days and maximum number of times that a user can log in after the password expires. | password-control expired-user-login delay delay times times | By default, a user can log in three times within 30 days after the password expires. |
11. Set the maximum account idle time. | password-control login idle-time idle-time | The default setting is 90 days. |