433
Configuring password control
Overview
Password control refers to a set of functions provided by the local authentication server to control
user login passwords, super passwords, and user login status based on predefined policies. The rest
of this section describes password control functions in detail.
• Minimum password length
By setting a minimum password length, you can enforce users to use passwords long enough
for system security. If a user specifies a shorter password, the system rejects the setting and
prompts the user to re-specify a password.
• Minimum password update interval
This function allows you to set the minimum interval at which users can change their passwords.
If a user logs in to change the password but the time elapsed since the last change is less than
this interval, the system denies the request. For example, if you set this interval to 48 hours, a
user cannot change the password twice within 48 hours. This prevents users from changing
their passwords frequently.
In non-FIPS mode, this function is not effective for manage-level users. In FIPS mode, this
function is effective for both non-manage-level and manage-level users. For information about
user levels, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals
Configuration Guide.
This function is not effective on a user who is prompted to change the password at the first login
or a user whose password has just been aged out.
• Password aging
Password aging imposes a lifecycle on a user password. After the password expires, the user
needs to change the password.
If a user enters an expired password when logging in, the system displays an error message
and prompts the user to provide a new password and to confirm it by entering it again. The new
password must be valid, and the user must enter exactly the same password when confirming
it.
• Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or
less than the specified period. If so, the system notifies the user when the password will expire
and provides a choice for the user to change the password. If the user sets a new password that
is complexity-compliant, the system records the new password and the setup time. If the user
chooses not to change the password or the user fails to change it, the system allows the user to
log in using the current password.
Telnet, SSH, and console (or AUX) users can change their passwords by themselves. FTP
users, on the contrary, can only have their passwords changed by the administrator.
• Login with an expired password
You can allow a user to log in a certain number of times within a specific period of time after the
password expires, so that the user does not need to change the password immediately. For
example, if you set the maximum number of logins with an expired password to 3 and the time
period to 15 days, a user can log in three times within 15 days after the password expires.
• Password history
With this feature enabled, the system maintains passwords that a user has used. When a user
changes the password, the system checks the new password against the used ones. The new
password must be different from the used ones by at least four characters and the four
To Next Page
Loading...
Need help?
General
