HP A5830 Series Configuration Manual page 137

Password history
With this feature enabled, the system maintains certain entries of passwords that a user has used. When
a user changes the password, the system checks the new password against the used ones. The new
password must be different from the used ones by at least four characters, and the four characters must
not be the same. Otherwise, the password change fails, and the system displays an error message.
You can set the maximum number of history password records for the system to maintain for each user.
When the number of history password records exceeds your setting, the latest record overwrites the
earliest one.
Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password guessing.
If an FTP or VTY user fails authentication due to a password error, the system adds the user to a blacklist.
If a user fails to provide the correct password after the specified number of consecutive attempts, the
system takes action as configured:
Prohibits the user from logging in until the user is manually removed from the blacklist.
•
Allows the user to try continuously, and removes the user from the blacklist when the user logs in to
•
the system successfully or when the blacklist entry times out (the blacklist entry aging time is 1
minute).
Prohibits the user from logging in within a configurable period of time, and allows the user to log in
•
again after the period of time elapses or after the user is removed from the blacklist.
A blacklist can contain up to 1024 entries.
A login attempt using a wrong username undoubtedly fails, but the username is not added into the
blacklist.
Web users failing login authentication are not blacklisted. Users accessing the system through the
Console or AUX interface are not blacklisted either, because the system is unable to obtain the IP
addresses of these users and these users are privileged and, therefore, relatively secure to the system.
Password composition checking
A password can be a combination of characters from the following categories:
Uppercase letters A to Z
•
Lowercase letters a to z
•
Digits 0 to 9
•
32 special characters, including blank space and ~`!@#$%^&*()_+-={}|[]\:";'<>,./.
•
Depending on the system security requirements, you can set the minimum number of categories a
password must contain and the minimum number of characters of each category.
There are four password combination levels: 1, 2, 3, and 4, each representing the number of categories
that a password must at least contain. Level 1 means that a password must contain characters of one
category, level 2 at least two categories, and so on.
When a user sets or changes the password, the system checks whether the password satisfies the
composition requirement. If not, the system displays an error message.
Password complexity checking
A less complicated password such as a password containing the username or repeated characters is
more likely to be cracked. For higher security, configure a password complexity checking policy to make
sure that all user passwords are relatively complicated. With such a policy configured, when a user
129