Enabling password control
Enable the global password control feature in system view.
Password control configurations take effect only after the password control feature is enabled globally.
Enable password control functions individually.
The following password control functions need to be enabled individually after the password control feature is enabled globally:
Password aging
Minimum password length
Password history
Password composition checking
To enable password control:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable the global password control feature. | password-control enable | By default, the global password control feature is disabled. |
3. Enable a specific password control function. | password-control { aging | composition | history | length } enable | Optional. All of the four password control functions are enabled by default. |
After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command.
For security purposes, the system prompts the Telnet, SSH, and terminal users to change their passwords at their first logins if the global password control is enabled. FTP users can only have their passwords changed by the administrator. If the administrator does not change passwords for FTP users after the global password control is enabled, the FTP users cannot log in to the device.
About the minimum password length:
When global password control is disabled, the minimum password length is one character.
When global password control is enabled but the minimum password length restriction function is disabled, the minimum password length is four characters in non-FIPS mode and eight characters in in FIPS mode. The password must have at least four different characters.
When global password control and the minimum password length restriction function are both enabled, the minimum password length is that configured by the password-control length length command.
About password history control:
When global password control is disabled, or when global password control is enabled but the password history control is disabled, the device does not record history passwords. It allows a user to set a new password the same as a previously used one.
When global password control and password history control are both enabled, the system records history passwords for users. When a user changes the password, the system compares the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same. Otherwise, the user will fail to change the password.