Password Control Introduction

Password control refers to a set of functions provided by the local authentication server to achieve password security based on predefined policies. The password control functions include the following nine:

1)         Minimum password length

With this function, you can set a minimum password length as required for system security. As such, when a user enters a shorter password, the system considers it invalid and prompts the user to re-enter a password.

 

&  Note:

A password cannot exceed 63 characters.

 

2)         Password aging

Password aging imposes a lifecycle on a user password. After the password aging time expires, the user needs to change the password.

If a user enters an expired password, the system displays an error message and prompts the user to provide a new password and to confirm it by entering it again. The new password must be a valid one and the user must enter exactly the same password when confirming it. Otherwise, the login will fail.

3)         Early notice on pending password expiration

When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified period. If so, the system notifies the user of the expiry time and provides a choice for the user to change the password. If the user provides a new password, the system records the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the present password until the password expires.

 

&  Note:

Telnet, SSH, and terminal users can change their passwords by themselves. FTP users, on the contrary, can only have their passwords changed by the administrator.

 

4)         Password history

With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones to see whether it was used before and, if so, displays an error message.

You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the latest record will overwrite the earliest one.

5)         Login attempt restriction

Limiting the times of entering wrong passwords can effectively prevent malicious password cracking.

Once a user fails to pass authentication, the system adds the user into a blacklist. When a user tries but fails to login for the allowed maximum number of successive authentication attempts, the system may prohibit or allow the user to login, depending on your choice:

l           Prohibiting the user from logging into the system until the user is removed from the blacklist.

l           Allowing the user to log in and removing the user from the blacklist when the user logs into the system or the blacklist entry times out (the blacklist entry aging time is 20 minutes).

l           Prohibiting the user from logging in for a configurable period of time. After this period, the user will be deleted from the blacklist and can log into the system again.

 

&  Note:

l      A blacklist can contain up to 1,024 entries. A login attempt using a wrong username will undoubtedly fail but the username is not added into the blacklist.

l      FTP users and virtual terminal line (VTY) users are blacklisted when they fail the authentication.

l      Users accessing the system through the Console or AUX interface are never blacklisted. This is because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.

 

6)         Password composition

A password can be a combination of characters from the following four categories:

l           Uppercase letters A to Z

l           Lowercase letters a to z

l           Digits 0 to 9

l           32 special characters including blank space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.

Depending on the system security requirements, you can set the minimum number of categories a password must contain and the minimum number of characters of each category.

There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories that a password must at least contain. Level 1 means that a password must contain characters of one category, level 2 at least two categories, and so on.

When a user sets or changes the password, the system checks if the password satisfies the composition requirement. If not, the system displays an error message.

7)         Password display in the form of a string of *

For the sake of security, the password a user enters is displayed in the form of a string of *.

8)         Authentication timeout management

If a user fails to log in within a configurable period of time, the system tears down the connection.

This function applies to Telnet users only.

9)         Logging

The system logs all successful password changing events.