H3C Technologies H3C SecPath F1000-E User Manual
Page 258
248
system records the new password and the time. If the user chooses to leave the password or the
user fails to change it, the system allows the user to log in using the present password.
NOTE:
Telnet, SSH, and terminal users can change their passwords by themselves. FTP users, on the contrary, can
only have their passwords changed by the administrator.
5.
Login with an expired password
You can allow a user to log in a certain number of times within a specific period of time after the
password expires, so that the user does not need to change the password immediately. For
example, if you set the maximum number of logins with an expired password to three and the time
period to 15 days, a user can log in three times within 15 days after the password expires.
6.
Password history
With this feature enabled, the system maintains certain entries of passwords that a user has used.
When a user changes the password, the system checks the new password against the used ones.
The new password must be different from the used ones by at least four characters and the four
characters must not be the same. Otherwise, you will fail to change the password and the system
displays an error message.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the latest record will
overwrite the earliest one.
7.
Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password
guessing.
If an FTP or virtual terminal line (VTY) user fails authentication due to a password error, the system
adds the user to a blacklist. If a user fails to provide the correct password after the specified
number of consecutive attempts, the system takes action as configured:
{
Prohibiting the user from logging in until the user is removed from the blacklist manually.
{
Allowing the user to try continuously and removing the user from the blacklist when the user logs
in to the system successfully or the blacklist entry times out (the blacklist entry aging time is one
minute).
{
Prohibiting the user from logging in within a configurable period of time, and allowing the user
to log in again after the period of time elapses or the user is removed from the blacklist.
NOTE:
•
A blacklist can contain up to 1024 entries.
•
A login attempt using a wrong username will undoubtedly fail but the username will not be added into
the blacklist.
•
Web users failing login authentication are not blacklisted. Users accessing the system through the
Console interface are not blacklisted either, because the system is unable to obtain the IP addresses of
these users and these users are privileged and therefore relatively secure to the system.
8.
Password composition checking
A password can be a combination of characters from the following four types:
{
Uppercase letters A to Z.
{
Lowercase letters a to z.