434
characters must not be the same. Otherwise, the user will fail to change the password and the
system displays an error message.
You can set the maximum number of history password records for the system to maintain for
each user. When the number of history password records exceeds your setting, the most recent
record overwrites the earliest one.
• Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password
guessing.
If an FTP or VTY user fails authentication, the system adds the user to a password control
blacklist. If a user fails to provide the correct password after the specified number of
consecutive attempts, the system takes one of the following actions:
{ Prohibits the user from logging in until the user is removed from the password control
blacklist manually.
{ Allows the user to try continuously and removes the user from the password control blacklist
when the user logs in to the system successfully or the blacklist entry times out (the blacklist
entry aging time is 1 minute).
{ Prohibits the user from logging in within a configurable period of time, and allows the user to
log in again after the period of time elapses or the user is removed from the password
control blacklist.
A password control blacklist can contain up to 1024 entries.
A login attempt using a wrong username will undoubtedly fail but the username will not be
added into the password control blacklist.
Web users failing login authentication are not blacklisted. Users accessing the system through
the console or AUX ports are not blacklisted either, because the system is unable to obtain the
IP addresses of these users and these users are privileged and therefore relatively secure to
the system.
• Password composition policy
A password can be a combination of characters from the following types:
{ Uppercase letters A to Z.
{ Lowercase letters a to z.
{ Digits 0 to 9.
{ Special characters. For information about special characters, see the password command
in Security Command Reference.
Depending on the system's security requirements, you can set the minimum number of
character types a password must contain and the minimum number of characters for each type,
as shown in Table 22.
Table 22
Password composition policy
Password
combination level
Minimum number of
character types
Minimum number of characters
for each type
Level 1 One One
Level 2 Two One
Level 3 Three One
Level 4 Four One
In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only
the level 4 combination is available for a password.
When a user sets or changes the password, the system checks if the password meets the
composition requirement. If not, the system displays an error message.
To Next Page
Loading...
Need help?
General
