Contents

Configuring password control ······························································1

Overview ·································································································································· 1
Password setting ················································································································· 1
Password updating and expiration ·························································································· 2
User login control ················································································································ 3
Password not displayed in any form ························································································ 4
Logging ····························································································································· 4
FIPS compliance························································································································ 4
Password control configuration task list ·························································································· 4
Enabling password control ··········································································································· 5
Setting global password control parameters ····················································································· 6
Setting user group password control parameters ·············································································· 7
Setting local user password control parameters ················································································ 8
Setting super password control parameters ····················································································· 9
Displaying and maintaining password control ··················································································· 9
Password control configuration examples ······················································································ 10
Basic password control configuration example ········································································· 10

i
Configuring password control
Overview
Password control allows you to implement the following features:
• Manage login and super password setup, expirations, and updates for local users.
• Control user login status based on predefined policies.
Local users are divided into two types: device management users and network access users. For
more information about local users, see "Configuring AAA."

Password setting
Minimum password length
You can define the minimum length of user passwords. If a user enters a password that is shorter
than the minimum length, the system rejects the password.
Password composition policy
A password can be a combination of characters from the following types:
• Uppercase letters A to Z.
• Lowercase letters a to z.
• Digits 0 to 9.
• Special characters in Table 1.
Table 1 Special Characters

Character name Symbol Character name Symbol

Ampersand sign & Apostrophe '
Asterisk * At sign @
Back quote ` Back slash \
Blank
N/A Caret ^
space
Colon : Comma ,
Dollar sign $ Dot .
Equal sign = Exclamation point !
Left angle bracket < Left brace {

Left bracket [ Left parenthesis (

Minus sign - Percent sign %

Plus sign + Pound sign #

Quotation marks " Right angle bracket >

Right brace } Right bracket ]

Right parenthesis ) Semi-colon ;

Slash / Tilde ~

1
 Character name Symbol Character name Symbol
Underscore _ Vertical bar |

Depending on the system's security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters for each type, as shown
in Table 2.
Table 2 Password composition policy

Password combination Minimum number of Minimum number of characters

level character types for each type
Level 1 One One
Level 2 Two One
Level 3 Three One
Level 4 Four One

In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the
level 4 combination is available for a password.
When a user sets or changes a password, the system checks if the password meets the combination
requirement. If not, the operation fails.
Password complexity checking policy
A less complicated password such as a password containing the username or repeated characters is
more likely to be cracked. For higher security, you can configure a password complexity checking
policy to ensure that all user passwords are relatively complicated. With such a policy configured,
when a user configures a password, the system checks the complexity of the password. If the
password is complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
• A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is not complex enough.
• A minimum of three identical consecutive characters is not allowed. For example, password
a111 is not complex enough.

Password updating and expiration

Password updating
This feature allows you to set the minimum interval at which users can change their passwords. If a
user logs in to change the password but the time passed since the last change is less than this
interval, the system denies the request. For example, if you set this interval to 48 hours, a user
cannot change the password twice within 48 hours.
The set minimum interval is not effective when a user is prompted to change the password at the first
login or after its password aging time expires.
Password expiration
Password expiration imposes a lifecycle on a user password. After the password expires, the user
needs to change the password.
If a user enters an expired password when logging in, the system displays an error message. The
user is prompted to provide a new password and to confirm it by entering it again. The new password
must be valid, and the user must enter exactly the same password when confirming it.

2
 Telnet users, SSH users, and console users can change their own passwords. The administrator
must change passwords for FTP users.
Early notice on pending password expiration
When a user logs in, the system checks whether the password will expire in a time equal to or less
than the specified notification period. If so, the system notifies the user when the password will expire
and provides a choice for the user to change the password. If the user sets a new password that is
complexity-compliant, the system records the new password and the setup time. If the user chooses
not to change the password or the user fails to change it, the system allows the user to log in using
the current password.
Telnet users, SSH users, and console users can change their own passwords. The administrator
must change passwords for FTP users.
Login with an expired password
You can allow a user to log in a certain number of times within a period of time after the password
expires. For example, if you set the maximum number of logins with an expired password to 3 and
the time period to 15 days, a user can log in three times within 15 days after the password expires.
Password history
With this feature enabled, the system stores passwords that a user has used.
When a network access user changes the password, the system compares the new password with
the current password and those stored in the password history records. The new password must be
different from the current one and those stored in the history records by a minimum of four characters.
The four characters must be different from one another. Otherwise, the system will display an error
message, and the password will not be changed.
The local passwords and super passwords for device management users are stored in hashed form
and cannot be converted to plain texts. When a device management user changes a local password
or super password, follow these rules:
• If the new password is set by using the hash method, the system will not compare the new
password with the current one and those stored in the history password records.
• If the new password in set in plain text, the system compares the new password with the current
password and those stored in the password history records. A new password must be different
from those stored in the history password records. If the current password is required, the new
password must also be different from the current one by a minimum of four different characters.
Otherwise, the system will display an error message, and the password will not be changed.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the most recent record
overwrites the earliest one.
Current login passwords of device management users are not stored in the password history,
because a device management user password is saved in cipher text and cannot be recovered to a
plaintext password.

User login control

First login
If the global password control feature is enabled, users must change the password at first login
before they can access the system. In this situation, password changes are not subject to the
minimum password update interval.
Login attempt limit
Limiting the number of consecutive login failures can effectively prevent password guessing.
Login attempt limit takes effect on FTP and VTY users. It does not take effect on the following types
of users:

3
 • Nonexistent users (users not configured on the device).
• Users logging in to the device through console ports.
If a user fails to log in, the system adds the user account and the user's IP address to the password
control blacklist. When the user fails to log in after making the maximum number of consecutive
attempts, login attempt limit limits the user and user account in any of the following ways:
• Disables the user account until the account is manually removed from the password control
blacklist.
• Allows the user to continue using the user account. The user's IP address and user account are
removed from the password control blacklist when the user uses this account to successfully
log in to the device.
• Disables the user account for a period of time.
The user can use the account to log in when either of the following conditions exists:
{ The locking timer expires.
{ The account is manually removed from the password control blacklist before the locking
timer expires.

NOTE:
This account is locked only for this user. Other users can still use this account, and the blacklisted
user can use other user accounts.

Maximum account idle time

You can set the maximum account idle time for user accounts. When an account is idle for this period
of time since the last successful login, the account becomes invalid.

Password not displayed in any form

For security purposes, nothing is displayed when a user enters a password.

Logging
The system logs all successful password changing events and user adding events to the password
control blacklist.

FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.

Password control configuration task list

The password control features can be configured in several different views, and different views
support different features. The settings configured in different views or for different objects have the
following application ranges:
• Settings for super passwords apply only to super passwords.
• Settings in local user view apply only to the password of the local user.
• Settings in user group view apply to the passwords of the local users in the user group if you do
not configure password policies for these users in local user view.

4
 • Global settings in system view apply to the passwords of the local users in all user groups if you
do not configure password policies for these users in both local user view and user group view.
For local user passwords, the settings with a smaller application scope have higher priority.
To configure password control, perform the following tasks:

Tasks at a glance
(Required.) Enabling password control
(Optional.) Setting global password control parameters
(Optional.) Setting user group password control parameters
(Optional.) Setting local user password control parameters
(Optional.) Setting super password control parameters

Enabling password control

To successfully enable the global password control feature and allow device management users to
log in to the device, the device must have sufficient storage space.
Enabling the global password control feature is the prerequisite for all password control
configurations to take effect. Then, for a specific password control feature to take effect, enable this
password control feature.
After the global password control feature is enabled, follow these restrictions and guidelines:
• You cannot display the password and super password configurations for device management
users by using the corresponding display commands.
• You cannot display the password configuration for network access users by using the
corresponding display command.
• The first password configured for local users must contain a minimum of four different
characters.
• To ensure correct function of password control, configure the device to use NTP to obtain the
UTC time. After global password control is enabled, password control will record the UTC time
when the password is set. The recorded UTC time might not be consistent with the actual UTC
time due to power failure or device reboot. The inconsistency will cause the password
expiration feature to malfunction. For information about NTP, see Network Management and
Monitoring Configuration Guide.
• The device automatically generates a .dat file and saves the file to the storage media. The file is
used to record authentication and login information of the local users. Do not manually delete or
modify the file.
To enable password control:

Step Command Remarks

1. Enter system view. system-view N/A
The following default settings
apply:
• In non-FIPS mode, the
2. Enable the global password password-control enable global password control
control feature. [ network-class ] feature is disabled for device
management and network
access users.
• In FIPS mode, the global
password control feature is

5
 Step Command Remarks
enabled for device
management users and
cannot be disabled. The
global password control
feature is disabled for
network access users.

3. (Optional.) Enable a specific password-control { aging |

By default, all four password
password control feature. composition | history | length }
control features are enabled.
enable

Setting global password control parameters

The global password control parameters in system view apply to all device management and
network access local users.
You can configure all password control features for device management users. The password
expiration time, minimum password length, password composition policy, and user login attempt limit
can be configured in system view, user group view, or local user view.
You can configure only the following password control features for network access users:
• Minimum password length.
• Password complexity policy.
• Password composition policy.
• Minimum password update interval.
• Maximum number of history password records for each user.
Where, the minimum password length, password complexity policy, and password composition
policy can be configured in system view, user group view, and local user view.
The password settings with a smaller application scope have higher priority. Global settings in
system view apply to the passwords of the local users in all user groups if you do not configure
password policies for these users in both local user view and user group view.
The password-control login-attempt command takes effect immediately and can affect the users
already in the password control blacklist. Other password control configurations do not take effect on
users that have been logged in or passwords that have been configured.
To set global password control parameters:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the password expiration password-control aging
time. The default setting is 90 days.
aging-time
3. Set the minimum password password-control update
update interval. The default setting is 24 hours.
interval interval
• In non-FIPS mode, the
default setting is 10
4. Set the minimum password characters.
length. password-control length length
• In FIPS mode, the default
length is 15 characters.
The following default settings
5. Configure the password password-control composition
apply:
composition policy. type-number type-number
[ type-length type-length ] • In non-FIPS mode, a
password must contain a

6
 Step Command Remarks
minimum of one character
type and a minimum of one
character for each type.
• In FIPS mode, a password
must contain a minimum of
four character types and a
minimum of one character
for each type.

6. Configure the password password-control complexity By default, the system does not
complexity checking policy. { same-character | user-name } perform password complexity
check checking.
7. Set the maximum number of
history password records for password-control history
The default setting is 4.
each user. max-record-number

By default, the maximum number

8. Configure the login attempt password-control login-attempt of login attempts is 3 and a user
limit. login-times [ exceed { lock | failing to log in after the specified
lock-time time | unlock } ] number of attempts must wait for
1 minute before trying again.
9. Set the number of days
during which a user is password-control
notified of the pending The default setting is 7 days.
alert-before-expire alert-time
password expiration.
10. Set the maximum number of
days and maximum number password-control By default, a user can log in three
of times that a user can log in expired-user-login delay delay times within 30 days after the
after the password expires. times times password expires.

11. Set the maximum account password-control login

idle time. The default setting is 90 days.
idle-time idle-time
The default setting is 600
seconds.
12. Set the user authentication password-control This command takes effect only
timeout time. authentication-timeout timeout on Telnet and terminal users.
When the authentication for a
user times out, the connection will
be terminated.

Setting user group password control parameters

Step Command Remarks
1. Enter system view. system-view N/A
By default, no user groups exist.
2. Create a user group and For information about how to
enter its view. user-group group-name
configure a user group, see
"Configuring AAA."

3. Configure the password By default, the password

expiration time for the user password-control aging expiration time of the user group
group. aging-time equals the global password
expiration time.
4. Configure the minimum By default, the minimum
password length for the user password-control length length password length of the user group
group. equals the global minimum

7
 Step Command Remarks
password length.

5. Configure the password By default, the password

password-control composition
composition policy for the composition policy of the user
type-number type-number
user group. group equals the global password
[ type-length type-length ]
composition policy.
By default, the password
6. Configure the password password-control complexity complexity checking policy of the
complexity checking policy { same-character | user-name } user group equals the global
for the user group. check password complexity checking
policy.

7. Configure the login attempt password-control login-attempt By default, the login-attempt

limit. login-times [ exceed { lock | policy of the user group equals the
lock-time time | unlock } ] global login-attempt policy.

Setting local user password control parameters

Step Command Remarks
1. Enter system view. system-view N/A
• Create a device
management user and enter
its view.
2. Create a device By default, no local users exist.
local-user user-name class
management or network manage For information about local user
access user and enter its configuration, see "Configuring
view. • Create a network access
user and enter its view. AAA."
local-user user-name class
network
By default, the setting equals that
for the user group to which the
local user belongs. If no expiration
3. Configure the password time is configured for the user
expiration time for the local password-control aging
aging-time group, the global setting applies to
user. the local user.
This command is available only
for device management users.
By default, the setting equals that
4. Configure the minimum for the user group to which the
password length for the local local user belongs. If no minimum
password-control length length
user. password length is configured for
the user group, the global setting
applies to the local user.
By default, the settings equal
those for the user group to which
5. Configure the password password-control composition the local user belongs. If no
composition policy for the type-number type-number password composition policy is
local user. [ type-length type-length ] configured for the user group, the
global settings apply to the local
user.
By default, the settings equal
6. Configure the password password-control complexity those for the user group to which
complexity checking policy { same-character | user-name } the local user belongs. If no
for the local user. check password complexity checking
policy is configured for the user

8
 Step Command Remarks
group, the global settings apply to
the local user.
By default, the settings equal
those for the user group to which
the local user belongs. If no
7. Configure the login attempt password-control login-attempt login-attempt policy is configured
limit. login-times [ exceed { lock | for the user group, the global
lock-time time | unlock } ] settings apply to the local user.
This command is available only
for device management users.

Setting super password control parameters

The super password allows you to obtain a temporary user role without reconnecting to the device.
For more information, see Fundamentals Configuration Guide.
To set super password control parameters:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the password expiration password-control super aging
time for super passwords. The default setting is 90 days.
aging-time
• In non-FIPS mode, the
default setting is 10
3. Configure the minimum password-control super length characters.
length for super passwords. length
• In FIPS mode, the default
setting is 15 characters.
The following default settings
apply:
• In non-FIPS mode, a super
password must contain a
4. Configure the password password-control super minimum of one character
composition policy for super composition type-number type and a minimum of one
passwords. type-number [ type-length character for each type.
type-length ] • In FIPS mode, a super
password must contain a
minimum of four character
types and a minimum of one
character for each type.

Displaying and maintaining password control

Execute display commands in any view and reset commands in user view.

9
 Task Command
Display password control configuration. display password-control [ super ]

Display information about users in the display password-control blacklist [ user-name

password control blacklist. user-name | ip ipv4-address | ipv6 ipv6-address ]
Delete users from the password control reset password-control blacklist [ user-name
blacklist. user-name ]
reset password-control history-record [ user-name
Clear history password records. user-name | super [ role role-name ] | network-class
[ user-name user-name ] ]

NOTE:
The reset password-control history-record command can delete the history password records of
one or all users even when the password history feature is disabled.

Password control configuration examples

Basic password control configuration example
Network requirements
Configure a global password control policy to meet the following requirements:
• A password must contain a minimum of 16 characters.
• A password must contain a minimum of four character types and a minimum of four characters
for each type.
• An FTP or VTY user failing to provide the correct password in two successive login attempts is
permanently prohibited from logging in.
• A user can log in five times within 60 days after the password expires.
• A password expires after 30 days.
• The minimum password update interval is 36 hours.
• The maximum account idle time is 30 days.
• A password cannot contain the username or the reverse of the username.
• A minimum of three identical consecutive characters is not allowed.
Configure a super password control policy for user role network-operator to meet the following
requirements:
• A super password must contain a minimum of 24 characters.
• A super password must contain a minimum of four character types and a minimum of five
characters for each type.
Configure a password control policy for local Telnet user test to meet the following requirements:
• The password must contain a minimum of 24 characters.
• The password must contain a minimum of four character types and a minimum of five
characters for each type.
• The password for the local user expires after 20 days.
Configuration procedure
# Enable the password control feature globally.
<Sysname> system-view

10
[Sysname] password-control enable

# Disable a user account permanently if a user fails two consecutive login attempts on the user
account.
[Sysname] password-control login-attempt 2 exceed lock

# Set all passwords to expire after 30 days.

[Sysname] password-control aging 30

# Globally set the minimum password length to 16 characters.

[Sysname] password-control length 16

# Set the minimum password update interval to 36 hours.

[Sysname] password-control update-interval 36

# Specify that a user can log in five times within 60 days after the password expires.
[Sysname] password-control expired-user-login delay 60 times 5

# Set the maximum account idle time to 30 days.

[Sysname] password-control login idle-time 30

# Refuse any password that contains the username or the reverse of the username.
[Sysname] password-control complexity user-name check

# Refuse a password that contains a minimum of three identical consecutive characters.

[Sysname] password-control complexity same-character check

# Globally specify that all passwords must each contain a minimum of four character types and a
minimum of four characters for each type.
[Sysname] password-control composition type-number 4 type-length 4

# Set the minimum super password length to 24 characters.

[Sysname] password-control super length 24

# Specify that a super password must contain a minimum of four character types and a minimum of
five characters for each type.
[Sysname] password-control super composition type-number 4 type-length 5

# Configure a super password used for switching to user role network-operator as

123456789ABGFTweuix@#$%! in plain text.
[Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%!

# Create a device management user named test.

[Sysname] local-user test class manage

# Set the service type of the user to Telnet.

[Sysname-luser-manage-test] service-type telnet

# Set the minimum password length to 24 for the local user.

[Sysname-luser-manage-test] password-control length 24

# Specify that the password of the local user must contain a minimum of four character types and a
minimum of five characters for each type.
[Sysname-luser-manage-test] password-control composition type-number 4 type-length 5

# Set the password for the local user to expire after 20 days.
[Sysname-luser-manage-test] password-control aging 20

# Configure the password of the local user in interactive mode.

[Sysname-luser-manage-test] password
Password:
Confirm :
Updating user information. Please wait ... ...

11
 [Sysname-luser-manage-test] quit

Verifying the configuration

# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Enabled(device management users)
Disabled (network access users)
Password aging: Enabled (30 days)
Password length: Enabled (16 characters)
Password composition: Enabled (4 types, 4 characters per type)
Password history: Enabled (max history record:4)
Early notice on password expiration: 7 days
Maximum login attempts: 2
User authentication timeout: 600 seconds
Action for exceeding login attempts: Lock
Minimum interval between two updates: 36 hours
User account idle time: 30 days
Logins with aged password: 5 times in 60 days
Password complexity: Enabled (username checking)
Enabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (24 characters)
Password composition: Enabled (4 types, 5 characters per type)

# Display the password control configuration for local user test.

<Sysname> display local-user user-name test class manage
Total 1 local users matched.

Device management user test:

State: Active
Service type: Telnet
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: network-operator
Password control configurations:
Password aging: 20 days
Password length: 24 characters
Password composition: 4 types, 5 characters per type

12