You can increase the security of your system by enforcing password
restrictions, which will make it more difficult for unauthorized users to access your
system. You can specify that each password must include at least two characters of each of
the following four character types:
- Upper-case A-Z
- Lower-case a-z
- 0-9
- !, @, #, $, %, ^, *, (, )
You can enforce a minimum length for the password, and set a maximum and minimum
time limit, after which the password will not be accepted.
By default, lockout-on-login-failures is not enabled. The default settings are as
follows:
- configure account all password-policy lockout-on-login-failures off
- configure account all password-policy lockout-time-period
until-cleared
To increase security, you can lock users out of the system entirely after three failed
consecutive logon attempts.
After the user‘s account is locked out (using the configure account password-policy lockout-on-login-failures
command), it must be re-enabled by an administrator.
Version 33.1.1 adds additional restrictions for more secure user and password
combinations. These include the following:
- A user name and password cannot be the same.
- The same letters or numbers cannot appear in succession in the pass phrase ( no '11' or
'aa' in the passphrase).
- Sequential input (logical and keyboard indexed) beyond 3 characters is prohibited. For
example, 1234, abcd, qwer, zxcv.
- Any password used within the last three months is prohibited.
-
To set character requirements for the password, use the
following command:
configure
account [all | name] password-policy char-validation [none | all-char-groups]
-
To configure the number of characters in a revised password that must be changed from
an existing password.
configure account [all
|name] password-policy
min-different-characters [count]
-
To set a minimum length for the password, use the
following command:
configure account [all | name] password-policy min-length [num_characters | none]
-
To age out the password after a specified time, use the
following command:
configure account [all | name] password-policy max-age [num_days | none]
-
To configure a minimum password lifespan, use the following command:
configure account [all |
name] password-policy
min-age [num_days | none]
-
To configure that the same letters or numbers can't appear in succession in the
passphrase, use the following command:
configure account [all | name] password-policy
char-repeat [permit | deny]
-
To configure that the user name and pass phrase cannot match, use the following
command:
configure account [all | name] password-policy
username-match [permit | deny]
-
To configure that sequential input (logical and keyboard indexed) beyond 3 characters
is prohibited, use the following command:
configure account [all | name] password-policy
long-sequence [permit | deny]
-
To block users from employing previously used passwords,
use the following command:
configure account [all | name] password-policy
history [num_passwords | duration
days | none]
-
To disable an account after three
consecutive failed logon attempts, use the following command:
configure account [all | name] password-policy
lockout-on-login-failures
[on | off]
Note
If you are not working on
SSH, you can configure the number of failed logons that trigger lockout, using the
configure cli max-failed-logins num-of-logins
command. (This command also sets the number of failed logons that terminate the
particular session.)
-
To re-enable a locked-out account, use the following
command:
clear
account [all | name] lockout
Selecting the all option affects the setting of all existing and future new
accounts.
-
To view account settings, use the following command:
show accounts password-policy
