241 
Telnet users, SSH users, and console users can change their own passwords. The administrator 
must change passwords for FTP users. 
Early notice on pending password expiration 
When a user logs in, the system checks whether the password will expire in a time equal to or less 
than the specified notification period. If so, the system notifies the user when the password will expire 
and provides a choice for the user to change the password. If the user sets a new password that is 
complexity-compliant, the system records the new password and the setup time. If the user chooses 
not to change the password or the user fails to change it, the system allows the user to log in using 
the current password.  
Telnet users, SSH users, and console users can change their own passwords. The administrator 
must change passwords for FTP users. 
Login with an expired password 
You can allow a user to log in a certain number of times within a period of time after the password 
expires. For example, if you set the maximum number of logins with an expired password to 3 and 
the time period to 15 days, a user can log in three times within 15 days after the password expires. 
Password history 
With this feature enabled, the system stores passwords that a user has used. When a user changes 
the password, the system compares the new password with the current password and those stored 
in the password history records. The new password must be different from the current one and those 
stored in the history records by a minimum of four characters. The four characters must be different 
from one another. Otherwise, the system will display an error message, and the password will not be 
changed. 
You can set the maximum number of history password records for the system to maintain for each 
user. When the number of history password records exceeds your setting, the most recent record 
overwrites the earliest one. 
Current login passwords of device management users are not stored in the password history, 
because a device management user password is saved in cipher text and cannot be recovered to a 
plaintext password. 
User login control 
First login 
If the global password control feature is enabled, users must change the password at first login 
before they can access the system. In this situation, password changes are not subject to the 
minimum password update interval. 
Login attempt limit 
Limiting the number of consecutive login failures can effectively prevent password guessing. 
Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types 
of users: 
•  Nonexistent users (users not configured on the device). 
•  Users logging in to the device through console ports. 
If a user fails to log in, the system adds the user account and the user's IP address to the password 
control blacklist. After making the maximum number of consecutive attempts, login attempt limit 
limits the user and user account in any of the following ways: 
•  Disables the user account until the account is manually removed from the password control 
blacklist. 
•  Allows the user to continue using the user account. The user's IP address and user account are 
removed from the password control blacklist when the user uses this account to successfully 
log in to the device.