196
Password history
With this feature enabled, the system stores passwords that a user has used. When a user changes the
password, the system checks the new password against the current password and those stored in the
password history records. The new password must be different from the current one and those stored in
the history records by at least four characters. The four characters must be different from one another.
Otherwise, the system will display an error message, and the password will not be changed.
You can set the maximum number of history password records for the system to maintain for each user.
When the number of history password records exceeds your setting, the most recent record overwrites
the earliest one.
Current login passwords of device management users are not stored in the password history. This is
because a device management user password is saved in cipher text and cannot be recovered to a
plaintext password.
User login control
First login
With the global password control feature enabled, users must change the password at first login before
they can access the system. In this situation, password changes are not subject to the minimum change
interval.
Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password guessing.
Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types of
users:
•
Nonexistent users (users not configured on the device).
•
Users logging in to the device through console ports.
If a user fails to use a user account to log in after making the maximum number of consecutive attempts,
login attempt limit performs the following actions:
•
Adds the user account and the user's IP address to the password control blacklist. This account is
locked only for this user. Other users can still use this account, and the blacklisted user can use other
user accounts.
•
Limits the user and user account in any of the following ways:
{
Disables the user account until the account is manually removed from the password control
blacklist.
{
Allows the user to continue using the user account. The user's IP address and user account are
removed from the password control blacklist when the user uses this account to successfully log
in to the device.
{
Disables the user account for a period of time.
The user can use the account to log in when either of the following conditions exist:
−
The locking timer expires.
−
The account is manually removed from the password control blacklist before the locking
timer expires.