After you enable enhanced secure mode on the switch, the password requirements are stronger. The individual in the administrator access level role configures and provides a temporary user name and password. After you log in for the first time with the temporary user name and temporary password, the system forces you to change the temporary password. After you change the temporary password, you cannot use the password again in subsequent sessions.
The following topics discuss the enhanced password requirements.
After you enable enhanced secure mode, the system checks each password change request to ensure the new password meets the password complexity required.
The default for the password complexity rule includes the following:
Two uppercase characters, from the range: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Two lowercase characters, from the range: abcdefghijklmnopqrstuvwxyz
Two numeric characters, from the range: 1234567890
Two special characters, from the range: `~!@#$%^&*()_-+={[}]|\:;”‘<,>.?/
The system enforces a minimum password length of 15 characters after you enable enhanced secure mode.
If the password is not long enough, the system displays the following message:
Password change aborted. The new password does not meet the minimum complexity requirement. Please select another password that meets the change interval, length, complexity, no consecutive repeating characters or history requirements of the domain.
The system enforces a minimum password change interval, which defines the minimum amount of time before you can change to a new password. By default, the minimum change interval is 24 hours between changing from one password to a new password. When you attempt to change your password, the system checks the timestamp for your password to determine if enough time has passed to enable you to change the password.
If you attempt to change the password and not enough time has passed, the system rejects the request, and the system informs you that the password was recently changed. Any password change outside of the enforced interval requires the Administrator to approve the change.
If you try to change the password before the change interval allows, the system displays the following message:
Password change aborted. The new password does not meet the minimum complexity requirement. Please select another password that meets the change interval, length, complexity, no consecutive repeating characters or history requirements of the domain.
The system enforces a minimum password change requirement, which defines that 8 characters must differ within the same position from the old password.
If the new password does not have at least 8 characters changed within the same position from the old password, the system rejects the password and displays the following message:
The password change failed, less than eight characters were changed.
After you enable enhanced secure mode, the administrator access level can define the number of old passwords that cannot be reused. The password reuse rule ensures that recently used passwords are not reused immediately, which reduces the risk of someone unlawfully gaining access to the system. The default number of prohibited recently used passwords is 3, but you can define up to 99.
The system saves the password history and stores the history in an encrypted format, along with the user name and date of change. If a particular user attempts to change a password, the system checks the new password against the stored passwords the user has previously used. If the password is on the list of previously used passwords, the system rejects the password change, and displays the following message:
Old password not allowed.
The system enforces automatic password renewal and password lockout after the expiration period because long-term usage of the same password can cause the system to be vulnerable to hacking.
You can configure the password expiration period to a range of 1 to 365 days. The default password expiration period is 90 days.
The password max-sessions value indicates the maximum number of times a particular type of role-based user can log in to the switch through the SSH session at the same time. The max-sessions value applies only for SSH sessions, and only with enhanced secure mode enabled.
After the maximum session number is reached that particular type of user cannot login. For example, if the max-sessions for an auditor user is configured as 5, then the auditor user can log in to only five SSH sessions at the same time. The default is 3.
After enhanced secure mode is enabled, the switch enforces password expiry. To ensure a user does not lose access, the switch offers pre- and post-notification messages explaining when the password will expire.
The administrator can define pre- and post-notification intervals to between one to 99 days.
The system maintains the password with a time stamp for when the password expiration. When you log in, the system checks the password time stamp and the notification timer values. If the administrator configures the pre-notification to 30 days, when you log in, the system checks the time stamp and notification timer values, and if the password expiry is due in 30 days, the system displays the first notification.
The pre-notification intervals provide messages to warn users that their passwords will expire within a particular timeframe:
interval 1—By default, interval 1 is 30 days.
interval 2—By default, interval 2 is 7 days.
interval 3—By default, interval 3 is 1 day.
The post-notification intervals provide notification to users that their passwords have expired within a particular timeframe:
interval 1—By default, interval 1 is 1 day.
interval 2—By default, interval 2 is 7 days.
interval 3—By default, interval 3 is 30 days.
If you do not change the password before the expiry date, the system locks your account. When your account is locked, only the administrator can unlock the account. The administrator creates a temporary password, and then you can login with the temporary password. If the administrator password expires and the configured notification interval lapses, access to SSH/Telnet/FTP connections is denied. The administrator must connect to the console port using a serial connection to change the password.