Configuring Username and Password Complexity
You can configure the device to enforce username or password complexity. When enforced, the device checks that the configured username or password meets the complexity requirements. If they don't, the device displays an error message indicating invalid configuration.
Username and password complexity is applicable to the following:
The device's implementation of username and password complexity depends on configuration:
|
●
|
'Enforce Username Complexity' is Disable: The device enforces the default complexity requirements: Can contain up to 100 alphanumeric characters (without spaces), and can contain only the symbols ".", "_", "-", and "@". |
|
●
|
'Enforce Username Complexity' is Enable: The device enforces complexity depending on the following configuration: |
|
◆
|
'Username Complexity Check By Regex' is configured: The device enforces username complexity based on the configured regex. |
|
◆
|
'Username Complexity Check By Regex' is empty: The device enforces the default username complexity requirements (see above 'Enforce Username Complexity' is Disable). |
|
●
|
'Enforce Password Complexity' is Disable: The device doesn't enforce any password complexity and you can configure the password to whatever you want. |
|
●
|
'Enforce Password Complexity' is Enable: The device enforces password complexity depending on whether or not you've configured complexity using regex: |
|
◆
|
'Password Complexity Check By Regex' is configured: The device enforces password complexity according to the configured regex. |
|
◆
|
'Password Complexity Check By Regex' is empty: The device enforces the default password complexity requirements:
At least eight characters
At least two uppercase letters (A to Z)
At least two lowercase letters (a to z)
At least two numbers (0 to 9)
At least two symbols (non-alphanumeric characters, e.g., $, #, %)
At least four new characters that weren't used in the previous password |
|
●
|
If you enable password complexity, you can also configure the minimum length (number of characters) of the password, using the [MinWebPasswordLen] parameter. |
|
●
|
To enforce password history policy so that users can't reuse an old password (can't change password to any of the four previous passwords), see the [CheckPasswordHistory] parameter. |
|
●
|
You can configure a list of weak passwords (in the Weak Passwords List table) and if the user's password appears in this list, the device raises an SNMP alarm. For more information, see Detection of Weak Passwords. |
|
●
|
For the device's CLI, password complexity applies to both Basic and Privileged command mode (> enable). In addition to the default complexity rules listed previously, password complexity for CLI also includes the following requirements: |
|
✔
|
The username and password must be different. |
|
✔
|
The username and password can't be the opposite of each other (e.g., "admin" and "nimda"). |
|
➢
|
To configure username and password complexity: |
|
1.
|
Open the Local Users Settings table (Setup menu > Administration tab > Web & CLI folder > Local Users Settings): |
|
2.
|
To enforce username complexity by regex, do the following under the Username Complexity group: |
|
a.
|
From the 'Enforce Username Complexity' drop-down list (EnforceUsernameComplexity), select Enable. |
|
b.
|
In the 'Username Complexity Check By Regex' field (UsernameComplexityCheckByRegex), type a regex for username complexity. |
|
3.
|
To enforce password complexity, do the following under the Password Complexity group: |
|
a.
|
From the 'Enforce Password Complexity' drop-down list (EnforcePasswordComplexity), select Enable. |
|
b.
|
In the 'Password Complexity Check By Regex' field (PasswordComplexityCheckByRegex), either type a regex for password complexity or leave this field empty to enforce the default password complexity policy (described above). |