H3C Technologies H3C SecPath F1000-E User Manual

249

{

Digits 0 to 9.

{

32 special characters. For information about special characters, see the password-control
composition command in Security Command Reference.

Depending on the system security requirements, you can set the minimum number of types a

password must contain and the minimum number of characters of each type, as shown in

Table

57

.

Table 57 Password composition policy

Password combination

level

Minimum number of

character types

Minimum number of characters for

each type

Level 1

One

One

Level 2

Two

One

Level 3

Three

One

Level 4

Four

One

In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the
level 4 combination is available for a password.
When a user sets or changes the password, the system checks if the password meets the
composition requirement. If not, the system displays an error message.

9.

Password complexity checking
A less complicated password such as a password containing the username or repeated characters
is more likely to be cracked. For higher security, you can configure a password complexity

checking policy to make sure that all user passwords are relatively complicated. With such a
policy configured, when a user configures a password, the system checks the complexity of the

password. If the password is not qualified, the system refuses the password and displays a

password configuration failure message.
You can impose the following password complexity requirements:

{

A password cannot contain the username or the reverse of the username. For example, if the
username is abc, a password such as abc982 or 2cba is unqualified.

{

No character appears three or more times consecutively in a password. For example, password
a111 is not qualified.

10.

Password display in the form of a string of asterisks (*)
For the sake of security, the password a user enters is displayed in the form of a string of asterisks
(*).

11.

Authentication timeout management
The authentication period is from when the server obtains the username to when the server finishes
authenticating the user’s password. If a Telnet user fails to log in within the configured period of
time, the system tears down the connection.

12.

Maximum account idle time
You can set the maximum account idle time to make accounts staying idle for this period of time
become invalid and unable to log in again. For example, if you set the maximum account idle time

to 60 days and user using the account test has never logged in successfully within 60 days after

the last successful login, the account becomes invalid.

13.

Logging