Setting global password control parameters

The global password control parameters in system view apply to all device management local users.

The password aging time, minimum password length, and password composition policy can be configured in system view, user group view, and local user view. The password settings with a smaller application scope have higher priority. For local users, password settings configured in local user view have the highest priority, and global settings in system view have the lowest priority.

The password-control login-attempt command takes effect immediately and can affect the users already in the password control blacklist. Other password control configurations do not take effect on users that have been logged in or passwords that have been configured.

1. Enter system view.

   system-view

2. Configure password settings.

   • Set the minimum password length.

     In non-FIPS mode:

     password-control length length

     The default setting is 10 characters.

     In FIPS mode:

     password-control length length

     The default length is 15 characters.

   • Configure the password composition policy.

     In non-FIPS mode:

     password-control composition type-number type-number [ type-length type-length ]

     By default, a password must contain a minimum of one character type and a minimum of one character for each type.

     In FIPS mode:

     password-control composition type-number type-number [ type-length type-length ]

     By default, a password must contain a minimum of four character types and a minimum of one character for each type.

   • Configure the password complexity checking policy.

     password-control complexity { same-character | user-name } check

     By default, the system does not perform password complexity checking.

   • Set the maximum number of history password records for each user.

     password-control history max-record-number

     The default setting is 4.

3. Configure password updating and expiration.

   • Set the minimum password update interval.

     password-control update interval interval

     The default setting is 24 hours.

   • Set the password aging time.

     password-control aging aging-time

     The default setting is 90 days.

   • Set the number of days during which a user is notified of the pending password expiration.

     password-control alert-before-expire alert-time

     The default setting is 7 days.

   • Set the maximum number of days and maximum number of times that a user can log in after the password expires.

     password-control expired-user-login delay delay times times

     By default, a user can log in three times within 30 days after the password expires.

4. Configure user login control.

   • Configure the login attempt limit.

     password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

     By default, the maximum number of login attempts is 3 and a user failing to log in after the specified number of attempts must wait for 1 minute before trying again.

   • Set the maximum account idle time.

     password-control login idle-time idle-time

     The default setting is 90 days.