195
Password complexity checking policy
A less complicated password such as a password containing the username or repeated characters is
more likely to be cracked. For higher security, you can configure a password complexity checking policy
to make sure all user passwords are relatively complicated. With such a policy configured, when a user
configures a password, the system checks the complexity of the password. If the password is
complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
•
A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is not complex enough.
•
A character or number cannot be included three or more times consecutively. For example,
password a111 is not complex enough.
Password updating and expiration
Password updating
This feature allows you to set the minimum interval at which users can change their passwords. If a user
logs in to change the password but the time passed since the last change is less than this interval, the
system denies the request. For example, if you set this interval to 48 hours, a user cannot change the
password twice within 48 hours.
The set minimum interval is not effective when a user is prompted to change the password at the first login
or after its password aging time expires.
Password expiration
Password expiration imposes a lifecycle on a user password. After the password expires, the user needs
to change the password.
If a user enters an expired password when logging in, the system displays an error message. The user is
prompted to provide a new password and to confirm it by entering it again. The new password must be
valid, and the user must enter exactly the same password when confirming it.
Telnet users, SSH users, and console users can change their own passwords. The administrator must
change passwords for FTP users.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less than
the specified notification period. If so, the system notifies the user when the password will expire and
provides a choice for the user to change the password. If the user sets a new password that is
complexity-compliant, the system records the new password and the setup time. If the user chooses not to
change the password or the user fails to change it, the system allows the user to log in using the current
password.
Telnet users, SSH users, and console users can change their own passwords. The administrator must
change passwords for FTP users.
Login with an expired password
You can allow a user to log in a certain number of times within a specific period of time after the
password expires. For example, if you set the maximum number of logins with an expired password to 3
and the time period to 15 days, a user can log in three times within 15 days after the password expires.