Example: Configuring password control

Configure a global password control policy to meet the following requirements:

• A password must contain a minimum of 16 characters.

• A password must contain a minimum of four character types and a minimum of four characters for each type.

• An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in.

• A user can log in five times within 60 days after the password expires.

• A password expires after 30 days.

• The minimum password update interval is 36 hours.

• The maximum account idle time is 30 days.

• A password cannot contain the username or the reverse of the username.

• A minimum of three identical consecutive characters is not allowed in a password.

Configure a super password control policy for user role network-operator to meet the following requirements:

• A super password must contain a minimum of 24 characters.

• A super password must contain a minimum of four character types and a minimum of five characters for each type.

Configure a password control policy for local Telnet user test to meet the following requirements:

• The password must contain a minimum of 24 characters.

• The password must contain a minimum of four character types and a minimum of five characters for each type.

• The password for the local user expires after 20 days.

# Enable the password control feature globally.

<Sysname> system-view
[Sysname] password-control enable

# Disable a user account permanently if a user fails two consecutive login attempts on the user account.

[Sysname] password-control login-attempt 2 exceed lock

# Set all passwords to expire after 30 days.

[Sysname] password-control aging 30

# Globally set the minimum password length to 16 characters.

[Sysname] password-control length 16

# Set the minimum password update interval to 36 hours.

[Sysname] password-control update-interval 36

# Specify that a user can log in five times within 60 days after the password expires.

[Sysname] password-control expired-user-login delay 60 times 5

# Set the maximum account idle time to 30 days.

[Sysname] password-control login idle-time 30

# Refuse any password that contains the username or the reverse of the username.

[Sysname] password-control complexity user-name check

# Refuse a password that contains a minimum of three identical consecutive characters.

[Sysname] password-control complexity same-character check

# Globally specify that all passwords must each contain a minimum of four character types and a minimum of four characters for each type.

[Sysname] password-control composition type-number 4 type-length 4

# Set the minimum super password length to 24 characters.

[Sysname] password-control super length 24

# Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type.

[Sysname] password-control super composition type-number 4 type-length 5

# Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.

[Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%!

# Create a device management user named test.

[Sysname] local-user test class manage

# Set the service type of the user to Telnet.

[Sysname-luser-manage-test] service-type telnet

# Set the minimum password length to 24 for the local user.

[Sysname-luser-manage-test] password-control length 24

# Specify that the password of the local user must contain a minimum of four character types and a minimum of five characters for each type.

[Sysname-luser-manage-test] password-control composition type-number 4 type-length 5

# Set the password for the local user to expire after 20 days.

[Sysname-luser-manage-test] password-control aging 20

# Configure the password of the local user in interactive mode.

[Sysname-luser-manage-test] password
Password:
Confirm :
Updating user information. Please wait ... ...
[Sysname-luser-manage-test] quit

# Display the global password control configuration.

<Sysname> display password-control
 Global password control configurations:
 Password control:                     Enabled
 Password aging:                       Enabled (30 days)
 Password length:                      Enabled (16 characters)
 Password composition:                 Enabled (4 types, 4 characters per type)
 Password history:                     Enabled (max history record:4)
 Early notice on password expiration:  7 days
 Maximum login attempts:               2
 Action for exceeding login attempts:  Lock
 Minimum interval between two updates: 36 hours
 User account idle time:               30 days
 Logins with aged password:            5 times in 60 days
 Password complexity:                  Enabled (username checking)
                                       Enabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super
 Super password control configurations:
 Password aging:                       Enabled (90 days)
 Password length:                      Enabled (24 characters)
 Password composition:                 Enabled (4 types, 5 characters per type)

# Display the password control configuration for local user test.

<Sysname> display local-user user-name test class manage
Total 1 local users matched.

Device management user test:
  State:                     Active
  Service type:              Telnet
  User group:                system
  Bind attributes:
  Authorization attributes:
    Work directory:          flash:
    User role list:          network-operator
  Password control configurations:
    Password aging:          Enable (20 days)
    Password length:         Enable (24 characters)
    Password composition:    Enable (4 types, 5 characters per type)