User login control
First login
When the global password control feature is enabled, users must change the password at first login before they can access the system. In this situation, password changes are not subject to the minimum password update interval.
Login attempt limit
Limiting the number of consecutive login failures can effectively prevent password guessing.
Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types of users:
Nonexistent users (users not configured on the device).
Users logging in to the device through console ports.
If a user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the user fails to log in after making the maximum number of consecutive attempts, login attempt limit limits the user and user account in any of the following ways:
Disables the user account until the account is manually removed from the password control blacklist.
Allows the user to continue using the user account. The user's IP address and user account are removed from the password control blacklist when the user uses this account to successfully log in to the device.
Disables the user account for a period of time.
The user can use the account to log in when either of the following conditions exists:
The locking timer expires.
The account is manually removed from the password control blacklist before the locking timer expires.
![[NOTE: ]](images/note.png) | NOTE: This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts. | |
Maximum account idle time
You can set the maximum account idle time for user accounts. When an account is idle for this period of time since the last successful login, the account becomes invalid.