For our system, there is a strong password security policy. Ensure the password security from the complexity of the password, force to modify the password for the initial login, and maximum try times of the password. Password security policy is only valid for local administrator users.
Password Policy
Password complexity:
- The minimum password length limit allows administrators to limit the minimum password length for administrators. When setting a user password, the system will not allow the password to be set if the length of the password entered is smaller than the set minimum length. And prompt: "Bad password: it is too short."
- Password combination detection function: The administrator can set the combination type of user password components. The elements of a password include the following four types:
- Capital letters: A-Z
- Lowercase letters: a-z
- Decimal digits: 0-9
- 31 Special Characters: (`~!@$%^&*()_+-={}[]|\:;”’<>,./’)
There are four combination types of password elements, which have the following specific meanings:
- Combination type 1 indicates that there is at least one element in the password.
- Combination type 2 means that there are at least two elements in the password.
- Combination type 3 means that there are at least three elements in a password.
- Combination type 4 means that all four elements must be included in the password.
When the user sets the password, the system will check whether the password set meets the configuration requirements. Only the password that meets the requirements can be set successfully.
- The password cannot be the same as the user name. When setting the administrator user password, if the password entered is the same as the user name, the system will not allow the password to be set.
Force to modify password for initial login:
When the function of "Force to modify the password when the user logs in for the first time" is enabled, when user first logs into the device, the system will output corresponding prompt information to ask the user to modify the password. Otherwise, the user is not allowed to log into the device. When the administrator's user name is "admin", whether or not the function of "Force to modify the password when the user logs in for the first time" is enabled, the user will be forced to modify the password when logging into the device for the first time.
Password lifetime:
Password lifetime is used to limit the using time of the user password. When the password is used longer than the password lifetime, the user needs to change the password. When a user logs in, and if the user enters an expired password, the system will prompt the user that the password has expired, and the password must be reset before local login. If the password entered does not meet the requirements, or if the new passwords entered twice are inconsistent, the system will refuse this login. For the non-interactive mode of login, such as FTP users, after the password lifetime expires, the user can log in only after the administrator modifies the password of FTP users; but if the password expires during the login period, it will not affect the operation of this login, but the next FTP command will trigger offline. In particular, if it is required to change the password for the first login, the password in fact has reached the expiration time, and the login will only require a unified password change once.
Maximum try times of the password:
The maximum try times of the user can be used to prevent malicious users from trying to decrypt the code. When the password try fails more than the maximum try times, the system will blacklist the user in the login-security module, and the user's account will be locked for a period of time.
Configuration Conditions
None
Configure Password Policy
Table 13‑9 Configure the password policy
Step
|
Command
|
Description
|
Enter the global configuration mode.
|
configure terminal
|
-
|
Configure the complexity of the password
|
password-control complexity {min-length len| with user-name-check | composition type-number type-number }
|
Optional
By default, the minimum length of the user password is 6, the combination type of the password elements contains two kinds, and does not permit the user name to be the same as the password.
|
Configure forcing to modify the password when the user logs in for the first time
|
password-control firstmodify enable
|
Optional
By default, do not force the user to modify the password when the user logs in for the first time.
When the user named “admin” does not enable the command, it is also required to modify the password when logging in for the first time.
|
Configure the live time of the user
|
password-control livetime user-live-time
|
Optional
By default, do not limit the live time of the user.
|
Configure the maximum times of the successive login authentication failure of the administrator user
|
password-control max-try-time max-try-time-number
|
Optional
The command is configured in the administrator user group and administrator user.
By default, the successive login authentication failure of the user in the administrator user group is not configured, that is, take the maximum times of the successive login authentication failure configured in the administrator user view as the main.
|