password-attributes

Configures global password attributes.

Syntax

password-attributes { [ max-logins maxlogins ][ max-retry maxretry ] [ min-length minlen ] [ max-logins maxlogin][ history number] [repeat minnum ] [ sequence number] [ login-notify-duration hours] [ admin-lockout | character-restriction { [ lower numlower ] [ numeric numdigits ] [ special-char numsplchars ] [ upper numupper ] [ force-default-password-change ][ max-password-age number-of-days ] }
no password-attributes { [ max-logins maxlogins ][ max-retry maxretry ] [ min-length minlen ] [ max-logins maxlogin][ history number] [repeat minnum ] [ sequence number] [ login-notify-duration hours] [ admin-lockout | character-restriction { [ lower numlower ] [ numeric numdigits ] [ special-char numsplchars ] [ upper numupper ] } ] [ force-default-password-change ][ max-password-age number-of-days ] }

Command Default

The default for min-length is 8. All other defaults are 0.

Parameters

admin-lockout
Enables lockout for admin role accounts.
character-restriction
Configures the restriction on various types of characters.
lower numlower
Specifies the minimum number of lowercase alphabetic characters that must occur in the password. Values range from 0 through 32 characters. The default value is 0.
numeric numdigits
Specifies the minimum number of numeric characters that must occur in the password. Values range from 0 through 32 characters. The default is 0.
special-char numsplchars
Specifies the number of punctuation characters that must occur in the password. All printable, non-alphanumeric punctuation characters, except colon (:) are allowed. Values range from 0 through 32 characters. The default value is 0.
upper numupper
Specifies the minimum number of uppercase alphabetic characters that must occur in the password. Values range from 0 through 32 characters. The default value is 0.
max-logins maxlogins
Specifies the maximum number of log-in sessions for a user. Values range from 0 through 10. The default value is 0.
max-retry maxretry
Specifies the number of failed password log-ins permitted before a user is locked out. Values range from 0 through 16. The default value is 0.
min-length minlen
Specifies the minimum length of the password. Valid values range from 8 through 32 characters. The default is 8 characters.
max-logins maxlogin
Specifies the maximum number of log-in sessions allowed per local user. Valid values range from 0 through 10. The default is 0, representing an infinite number of log-ins.
history number
Specifies the number of old passwords against which a newly configured password is checked. The new password is discarded if it matches an old password. Valid values range from 0 through 10. The default is 0.
repeat minimum
Specifies the minimum number of consecutive repetitive characters in a newly configured password. The new password is discarded if it has consecutive repetitive characters (for example, aaa, xxx,1111). Configure 1 for disabling. The default is 1.
sequence number
Specifies the minimum number of consecutive sequential characters both in forward and reverse direction (for example, abc, cba) in a newly configured password. The new password is discarded if it has consecutive sequential characters (for example, abc, xyz, fedc). Configure 1 for disabling. The default is 1.
login-notify-duration hours
Specifies the duration in hours for which admin is notified of the number of last successful attempts. Use value 0 to disable the notification. Valid values range from is from 0 through 120. The default is 0.
force-default-password-change
Force the user to change password at first login. This is applicable to all default accounts on the system.
max-password-age number-of-days
Specifies the number of days after which the user is forced to change the password. The default value is zero (0) indicating that the password does not expire and need not be changed.

Modes

Global configuration mode

Usage Guidelines

To reset password attributes to their default values, run the no form of this command.

If you use PuTTY to open a telnet session and then close the session by closing the PuTTY window, the max-logins feature does not count the session as closed because the client does not send an application layer closure message to be processed by the PAM module. Therefore, if max-logins is enabled when you use PuTTY to open a telnet session, use the exit command to close the session.

The max-logins feature does not apply to REST log-ins and RESTCONF log-ins.

Examples

The following example configures global password attributes and verifies the configuration.

device#configure terminal
device(config)# password-attributes max-retry 4 
device(config)# password-attributes character-restriction lower 2 
device(config)# password-attributes character-restriction upper 1 numeric 1 special-char 1 
device(config)# exit 
device# show running-config password-attributes
 
password-attributes max-retry 4
password-attributes character-restriction upper 1
password-attributes character-restriction lower 2
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1

The following example resets the character restriction attributes and verifies the configuration.

device#configure terminal
device(config)# no password-attributes character-restriction lower 
device(config)# no password-attributes character-restriction upper 
device(config)# exit
device# show running-config password-attributes
 
password-attributes max-retry 4
password-attributes character-restriction numeric 1
password-attributes character-restriction special-char 1

The following example clears all global password attributes.

device#configure terminal
device(config)# no password-attributes 
device(config)# exit 
device# show running-config password-attributes
 
% No entries found.

The following example sets the maximum number of retries to 3 and enables lockout policy for admin role accounts.

device#configure terminal
device(config)# password-attributes max-retry 3 admin-lockout

Example

The following example shows the configuration to force a user to change their login password the first time they login in.

Enable forcing default password change:
SLX(config)# password-attributes force-default-password-change

Display password-attribute configuration:
SLX# show running-config password-attributes 
password-attributes force-default-password-change
SLX#

Example

The following example displays how the user can set the maximum number of days for the user account password. After the maximum no. of days have reached, the user should change the password. The default value is 0 which means, the password expiration is disabled.

Configure Maximum password age parameter:
SLX(config)# password-attributes max-password-age 4

Remove Maximum password age configuration:
SLX(config)# no password-attributes max-password-age 

Display Maximum password age configuration:
SLX# show running-config password-attributes 
password-attributes max-password-age 4
SLX#