Fips Compliance - HP 5120 SI Series Security Configuration Manual

Depending on the system security requirements, you can set the minimum number of character types a
password must contain and the minimum number of characters that are from each character type the
password must contain.
In FIPS mode, a password must contain four types of characters and each type must contain at least one
character.
In non-FIPS mode, there are four password combination levels: 1, 2, 3, and 4, each representing the
number of character types that a password must at least contain. Level 1 means that a password must
contain characters of one type, level 2 at least two types, and so on.
When a user sets or changes the password, the system checks if the password meets the composition
requirement. If not, the system displays an error message.
9. Password complexity checking
A less complicated password such as a password containing the username or repeated characters is
more likely to be cracked. For higher security, you can configure a password complexity checking policy
to ensure that all user passwords are relatively complicated. With such a policy configured, when a user
configures a password, the system checks the complexity of the password. If the password is
complexity-incompliant, the system refuses the password and displays a password configuration failure
message.
You can impose the following password complexity requirements:
A password cannot contain the username or the reverse of the username. For example, if the
•
username is abc, a password such as abc982 or 2cba is not complex enough.
No character of the password is repeated three or more times consecutively. For example,
•
password a1 1 1 is not complex enough.
Password display in the form of a string of *
10.
For the sake of security, the password a user enters is displayed in the form of a string of *.
11. Authentication timeout management
The authentication period is from when the server obtains the username to when the server finishes
authenticating the user's password. If a Telnet user fails to log in within the configured period of time, the
system tears down the connection.
12. Maximum account idle time
You can set the maximum account idle time to make accounts staying idle for this period of time become
invalid and unable to log in again. For example, if you set the maximum account idle time to 60 days
and user using the account test has never logged in successfully within 60 days after the last successful
login, the account becomes invalid.
13. Logging
The system logs all successful password changing events and user blacklisting events due to login
failures.

FIPS compliance

The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see the chapter "FIPS configuration") and
non-FIPS mode.
197