Password control configuration example

All commands in the following example are executed in non-FIPS mode.

Implement the following global password control policy:

• An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in.

• A user can log in five times within 60 days after the password expires.

• The password aging time is 30 days.

• The minimum password update interval is 36 hours.

• The maximum account idle time is 30 days.

• A password cannot contain the username or the reverse of the username.

• No character occurs consecutively three or more times in a password.

Implement the following super password control policy:

A super password must contain at least three types of valid characters, five or more of each type.

Implement the following password control policy for local Telnet user test:

• The password must contain at least 12 characters.

• The password must consist of at least two types of valid characters, five or more of each type.

• The password aging time is 20 days.

# Enable the password control feature globally.

<Sysname> system-view
[Sysname] password-control enable

# Prohibit the user from logging in forever after two successive login failures.

[Sysname] password-control login-attempt 2 exceed lock

# Set the password aging time to 30 days for all passwords.

[Sysname] password-control aging 30

# Set the minimum password update interval to 36 hours.

[Sysname] password-control password update interval 36

# Specify that a user can log in five times within 60 days after the password expires.

[Sysname] password-control expired-user-login delay 60 times 5

# Set the maximum account idle time to 30 days.

[Sysname] password-control login idle-time 30

# Refuse any password that contains the username or the reverse of the username.

[Sysname] password-control complexity user-name check

# Specify that no character of the password can be repeated three or more times consecutively.

[Sysname] password-control complexity same-character check

# Set the super password to contain at least three types of valid characters and each type contains at least five characters.

[Sysname] password-control super composition type-number 3 type-length 5

# Configure a super password.

[Sysname] super password level 3 simple 12345ABGFTweuix

# Create a local user named test.

[Sysname] local-user test

# Set the service type of the user to Telnet.

[Sysname-luser-test] service-type telnet

# Set the minimum password length to 12 for the local user.

[Sysname-luser-test] password-control length 12

# Set the password of the local user to contain at least two types of valid characters and each type contains at least five characters.

[Sysname-luser-test] password-control composition type-number 2 type-length 5

# Set the password aging time to 20 days for the local user.

[Sysname-luser-test] password-control aging 20

# Configure the password of the local user in interactive mode.

[Sysname-luser-test] password
Password:***********
Confirm :***********
Updating user(s) information, please wait........
[Sysname-luser-test] quit

# Display the global password control configuration.

<Sysname> display password-control
Global password control configurations:
 Password control:                    Enabled
 Password aging:                      Enabled (30 days)
 Password length:                     Enabled (10 characters)
 Password composition:                Enabled (1 types,  1 characters per type)
 Password history:                    Enabled (max history record:4)
 Early notice on password expiration: 7 days
 User authentication timeout:         60 seconds
 Maximum failed login attempts:       2 times
 Login attempt-failed action:         Lock
 Minimum password update time:        36 hours
 User account idle-time:              30 days
 Login with aged password:            5 times in 60 day(s)
 Password complexity:                 Enabled (username checking)
                                      Enabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super
 Super password control configurations:
 Password aging:                      Enabled (30 days)
 Password length:                     Enabled (10 characters)
 Password composition:                Enabled (3 types,  5 characters per type)

# Display the password control configuration for local user test.

<Sysname> display local-user user-name test
The contents of local user test:
 State:                    Active
 ServiceType:              telnet
 Access-limit:             Disable           Current AccessNum: 0
 User-group:               system
 Bind attributes:
 Authorization attributes:
 Password aging:                       Enabled (20 days)
 Password length:                      Enabled (12 characters)
 Password composition:                 Enabled (2 types,  5 characters per type)
Total 1 local user(s) matched.