214
when a user configures a password, the system checks the complexity of the password. If the
password is complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
•
A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is not complex enough.
•
A character or number cannot be included three or more times consecutively. For example,
password a111 is not complex enough.
Password updating and expiration
Password updating
This feature allows you to set the minimum interval at which users can change their passwords. If a
user logs in to change the password but the time passed since the last change is less than this
interval, the system denies the request. For example, if you set this interval to 48 hours, a user
cannot change the password twice within 48 hours.
The set minimum interval is not effective when a user is prompted to change the password at the first
login or after its password aging time expires.
Password expiration
Password expiration imposes a lifecycle on a user password. After the password expires, the user
needs to change the password.
If a user enters an expired password when logging in, the system displays an error message. The
user is prompted to provide a new password and to confirm it by entering it again. The new password
must be valid, and the user must enter exactly the same password when confirming it.
Telnet users, SSH users, and console users can change their own passwords. The administrator
must change passwords for FTP users.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less
than the specified notification period. If so, the system notifies the user when the password will expire
and provides a choice for the user to change the password. If the user sets a new password that is
complexity-compliant, the system records the new password and the setup time. If the user chooses
not to change the password or the user fails to change it, the system allows the user to log in using
the current password.
Telnet users, SSH users, and console users can change their own passwords. The administrator
must change passwords for FTP users.
Login with an expired password
You can allow a user to log in a certain number of times within a period of time after the password
expires. For example, if you set the maximum number of logins with an expired password to 3 and
the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
With this feature enabled, the system stores passwords that a user has used. When a user changes
the password, the system checks the new password against the current password and those stored
in the password history records. The new password must be different from the current one and those
stored in the history records by a minimum of four characters. The four characters must be different
from one another. Otherwise, the system will display an error message, and the password will not be
changed.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the most recent record
overwrites the earliest one.
Summary of Contents for 10500 series
Page 326: ...312 No duration limit for this SA ...