HP 5120 EI Switch Series Configuration Manual page 175

You can allow a user to log in a certain number of times within a specified period of time after the
password expires, so that the user does not need to change the password immediately. For example, if
you set the maximum number of logins with an expired password to three and the time period to 15 days,
a user can log in three times within 15 days after the password expires.
Password history
6.
With this feature enabled, the system maintains certain entries of passwords that a user has used. When
a user changes the password, the system checks the new password against the used ones to see whether
it was used before and, if so, displays an error message.
You can set the maximum number of history password records for the system to maintain for each user.
When the number of history password records exceeds your setting, the latest record will overwrite the
earliest one.
Login attempt limit
7.
Limiting the number of consecutive failed login attempts can effectively prevent password guessing.
If an FTP or virtual terminal line (VTY) user fails authentication due to a password error, the system adds
the user to a blacklist. If a user fails to provide the correct password after the specified number of
consecutive attempts, the system takes action as configured:
Prohibiting the user from logging in until the user is removed from the blacklist manually.

Allowing the user to try continuously and removing the user from the blacklist when the user logs in

to the system successfully or the blacklist entry times out (the blacklist entry aging time is one
minute).
Prohibiting the user from logging in within a configurable period of time, and allowing the user to

log in again after the period of time elapses or the user is removed from the blacklist.
NOTE:

A blacklist can contain up to 1024 entries.

A login attempt using a wrong username will undoubtedly fail but the username will not be added into the
blacklist.

Users failing web authentication are not blacklisted. Users accessing the system through the Console or AUX
interface are not blacklisted either, because the system is unable to obtain the IP addresses of these users and
these users are privileged and relatively secure to the system.
Password composition checking
8.
A password can be a combination of characters from the following four categories:
Uppercase letters A to Z

Lowercase letters a to z

Digits 0 to 9

32 special characters including blank space and ~`!@#$%^&*()_+-={}|[]\:‖;'<>,./.

Depending on the system security requirements, you can set the minimum number of categories a
password must contain and the minimum number of characters of each category.
Password combination has four levels: 1, 2, 3, and 4, each representing the number of categories that a
password must at least contain. Level 1 means that a password must contain characters of one category,
level 2 at least two categories, and so on.
When a user sets or changes the password, the system checks if the password satisfies the composition
requirement. If not, the system displays an error message.
165