Password encryption policy, Account lockout policy – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 266

Password policy parameters (Continued)
TABLE 45
Parameter
Description
max-retry
Specifies the number of failed password logins permitted before a user is locked out. The
lockout threshold can range from 0 through 16. The default value is 0. When a password fails
more than one of the strength attributes, an error is reported for only one of the attributes at a
time.
NOTE
Passwords can have a maximum of 40 characters.
Password encryption policy
Network OS supports encrypting the passwords of all existing user accounts by enabling password
encryption at the switch level. By default, the encryption service is disabled and passwords are stored
in clear text. Use the no service password-encryption command to enable or disable password
encryption. The following rules apply to password encryption:
• When you enable password encryption, all existing clear-text passwords will be encrypted, and any
password that are added subsequently in clear-text are stored in encrypted format
In the following example, the testuser account password is created in clear text after password
encryption has been enabled. The global encryption policy overrides command-level encryption
settings The password is stored as encrypted.
switch(config)# service password-encryption
switch(config)# do show running-config service password-encryption
service password-encryption
switch(config)# username testuser role testrole desc "Test User" encryption-level 0 password hellothere
switch(config)# do show running-config username
username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role admin desc Administrator
username testuser password "cONW1RQ0nTV9Az42/9uCQg==\n" encryption-level 7 role testrole desc "Test
User"
username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role user desc User
• When you disable the password encryption service, any new passwords added in clear text will be
stored as clear text on the switch. Existing encrypted passwords remain encrypted.
In the following example, the testuser account password is stored in clear text after password
encryption has been disabled. The default accounts, "user" and admin" remain encrypted.
switch(config)# no service password-encryption
switch(config)# do show running-config service password-encryption no service password-encryption
switch(config)# username testuser role testrole desc "Test User" encryption-level 0 password
hellothere enable true
switch(config)# do show running-config username
username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role admin desc Administrator
username testuser password hellothere encryption-level 0 role testrole desc "Test User"
username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryptionlevel 7 role user desc User
Account lockout policy
The account lockout policy disables a user account when the user exceeds a configurable number of
failed login attempts. A user whose account has been locked cannot log in. SSH login attempts that
use locked user credentials are denied without the user being notified of the reason for denial.
Password encryption policy
266
Network OS Administrator’s Guide
53-1003225-04