Password setting
Minimum password length
You can define the minimum length of user passwords. If a user enters a password that is shorter than the minimum length, the system rejects the password.
Password composition policy
A password can be a combination of characters from the following types:
Uppercase letters A to Z.
Lowercase letters a to z.
Digits 0 to 9.
Special characters. For information about special characters, see the password-control composition command in Security Command Reference.
Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table 14.
Table 11: Password composition policy
Password combination level | Minimum number of character types | Minimum number of characters for each type |
---|---|---|
Level 1 | One | One |
Level 2 | Two | One |
Level 3 | Three | One |
Level 4 | Four | One |
In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the level 4 combination is available for a password.
When a user sets or changes a password, the system checks if the password meets the combination requirement. If not, the operation fails.
Password complexity checking policy
A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to ensure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail.
You can apply the following password complexity requirements:
A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
A character or number cannot be included three or more times consecutively. For example, password a111 is not complex enough.