Password setting
Minimum password length
You can define the minimum length of user passwords. The system rejects the setting of a password that is shorter than the configured minimum length.
Password composition policy
A password can be a combination of characters from the following types:
Uppercase letters A to Z.
Lowercase letters a to z.
Digits 0 to 9.
Special characters in Table 24.
Table 24: Special Characters
Character name
Symbol
Character name
Symbol
Ampersand sign
&
Apostrophe
'
Asterisk
*
At sign
@
Back quote
`
Back slash
\
Blank space
N/A
Caret
^
Colon
:
Comma
,
Dollar sign
$
Dot
.
Equal sign
=
Exclamation point
!
Left angle bracket
<
Left brace
{
Left bracket
[
Left parenthesis
(
Minus sign
-
Percent sign
%
Plus sign
+
Pound sign
#
Quotation marks
"
Right angle bracket
>
Right brace
}
Right bracket
]
Right parenthesis
)
Semi-colon
;
Slash
/
Tilde
~
Underscore
_
Vertical bar
|
Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 25.
Table 25: Password composition policy
Password combination level | Minimum number of character types | Minimum number of characters for each type |
---|---|---|
Level 1 | One | One |
Level 2 | Two | One |
Level 3 | Three | One |
Level 4 | Four | One |
In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password.
When a user sets or changes a password, the system checks if the password meets the combination requirement. If it does not, the operation fails.
Password complexity checking policy
A less complicated password is more likely to be cracked, such as a password containing the username or repeated characters. For higher security, you can configure a password complexity checking policy to ensure that all user passwords are relatively complicated. When a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
A minimum of three identical consecutive characters is not allowed. For example, password a111 is not complex enough.