beautypg.com

Password complexity checking policy, Password updating and expiration, Password updating – H3C Technologies H3C S6300 Series Switches User Manual

Page 178: Password expiration, Early notice on pending password expiration, Login with an expired password

background image

163

Password complexity checking policy

A less complicated password such as a password containing the username or repeated characters is

more likely to be cracked. For higher security, you can configure a password complexity checking policy
to make sure all user passwords are relatively complicated. With such a policy configured, when a user

configures a password, the system checks the complexity of the password. If the password is

complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:

A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is not complex enough.

A character or number cannot appear three or more times consecutively. For example, password
a111 is not complex enough.

Password updating and expiration

Password updating

This function allows you to set the minimum interval at which users can change their passwords. If a user

logs in to change the password but the time passed since the last change is less than this interval, the

system denies the request. For example, if you set this interval to 48 hours, a user cannot change the

password twice within 48 hours.
The set minimum interval is not effective when a user is prompted to change the password at the first login

or after its password aging time expires.

Password expiration

Password expiration imposes a lifecycle on a user password. After the password expires, the user needs

to change the password.
If a user enters an expired password when logging in, the system displays an error message. The user is

prompted to provide a new password and to confirm it by entering it again. The new password must be

valid, and the user must enter exactly the same password when confirming it.
Telnet users, SSH users, and console users can change their own passwords. The administrator must
change passwords for FTP users.

Early notice on pending password expiration

When a user logs in, the system checks whether the password will expire in a time equal to or less than

the specified notification period. If so, the system notifies the user when the password will expire and

provides a choice for the user to change the password. If the user sets a new password that is
complexity-compliant, the system records the new password and the setup time. If the user chooses not to

change the password or the user fails to change it, the system allows the user to log in using the current

password.
Telnet users, SSH users, and console users can change their own passwords. The administrator must
change passwords for FTP users.

Login with an expired password

You can allow a user to log in a certain number of times within a specific period of time after the

password expires. For example, if you set the maximum number of logins with an expired password to 3

and the time period to 15 days, a user can log in three times within 15 days after the password expires.