Configuring Password Complexity

Enable the Password Complexity feature

  1. The minimum password length must be configured to 8.

  2. The manager credentials must be configured. If they are not, use the password manager command to create the password.

  3. Enable the Password Complexity feature (Enable Password Complexity)

Configure the Password Complexity parameters

  1. Configure the password aging, history, and log-on details. (Configure the Password Complexity parameters)

  2. Configure the password minimum length (Configure password minimum length)

  3. Configure the password composition (Configure password composition)

  4. Configure complexity checks on a new user password (Configure password complexity checks)

Viewing the password configuration

To view the password configuration, enter the show password-configuration command. The Password Control parameter displays the status and parameters of the feature, either enabled or disabled.

Example

In this example, the password configuration is disabled and the minimum password length is 8.

switch# show password-configuration
 Global password control configuration

  Password control                     : Disabled
  Password history                     : Disabled
  Number of history records            : 8
  Password aging                       : Disabled
  Aging time                           : 90 days
  Early notice on password expiration  : 7 days
  Minimum password update interval     : 24 hours
  Expired user login                   : 3 login attempts in 30 days
  Password minimum length              : 8
  User login details checking          : Enabled
  Password composition
           Lower case                  : 2 characters
           Upper case                  : 2 characters
           Special character           : 2 characters
           Number                      : 2 characters
  Repeat password checking             : Disabled
  Username checking                    : Disabled
  Repeat characters checking           : Disabled

More information

show password-configuration

Enable Password Complexity

To enable the Password Complexity feature, enter the password configuration-control command.

Example

In this example, the WebUI is enabled and the user enters y to disable the WebUI and enable the Password Complexity feature.

switch# password configuration-control 
The password configuration feature cannot be enabled when the WebUI is enabled. 
Would you like to disable WebUI and REST protocol? [y/n]: y

More information

password configuration-control

Configure the Password Complexity parameters

You can configure the Password Complexity parameters at any time but they will only take effect if the Password Complexity feature is enabled.

Example

In this example, we enable the aging and history parameters.

switch# password configuration aging
switch# password configuration history

The Password history and Password aging are now enabled.

We then set the aging parameter, aging-period, to 60 days:

switch# password configuration aging-period 60

The show password-configuration displays the configuration changes:

switch# show password-configuration
 Global password control configuration

  Password control                     : Enabled
  Password history                     : Enabled
  Number of history records            : 8
  Password aging                       : Enabled
  Aging time                           : 60 days
  Early notice on password expiration  : 7 days
  Minimum password update interval     : 24 hours
  Expired user login                   : 3 login attempts in 30 days
  Password minimum length              : 8
  User login details checking          : Enabled
  Password composition
           Lower case                  : 2 characters
           Upper case                  : 2 characters
           Special character           : 2 characters
           Number                      : 2 characters
  Repeat password checking             : Disabled
  Username checking                    : Disabled
  Repeat characters checking           : Disabled

More information

password configuration commands
password configuration

Configure password minimum length

To configure the password minimum length, enter the password minimum-length command. The minimum password length must be equal or greater than the sum of the password composition. You can set the password minimum length for all users or per user.

Example

To configure the password minimum length to 10 for all users, enter:

switch# password minimum-length 10

To configure the password minimum length to 10 for the operator user operatorABC only, enter:

switch# password operator user-name operatorABC minimum-length 10

To configure the password minimum length to 10 for the local user localuserXYZ only, enter:

switch# aaa authentication local-user localuserXYZ min-pwd-length 10

More information

password minimum-length

Configure password composition

To configure the password composition policy for all users, which includes the minimum number of characters from the set of lowercase letters, uppercase letters, special characters, and numbers, enter the password composition command. The minimum password length must be equal or greater than the sum of the password composition.

Example

In this example, we set the password special characters parameter to 3.

switch# password composition specialcharacter 3

The show password-configuration command displays the configuration changes:

switch# show password-configuration
 Global password control configuration

  Password control                     : Enabled
  Password history                     : Enabled
  Number of history records            : 8
  Password aging                       : Enabled
  Aging time                           : 60 days
  Early notice on password expiration  : 7 days
  Minimum password update interval     : 24 hours
  Expired user login                   : 3 login attempts in 30 days
  Password minimum length              : 10
  User login details checking          : Enabled
  Password composition
           Lower case                  : 2 characters
           Upper case                  : 2 characters
           Special character           : 3 characters
           Number                      : 2 characters
  Repeat password checking             : Disabled
  Username checking                    : Disabled
  Repeat characters checking           : Disabled

More information

password composition

Configure password complexity checks

To configure password complexity checks on a new user password, enter the password complexity command.

Example

In this example, we set the password complexity check to all, which includes repeat-password-check, repeat-char-check, and user-name-check.

switch# password complexity all

More information

password complexity