super: Displays the password control information for the super passwords. If you do not specify this keyword, the command displays the global password control configuration.

Examples

# Display the global password control configuration.

<Sysname> display password-control

Global password control configurations:

Password control: Enabled (device management users)

Enabled (network access users)

Password aging: Enabled (90 days)

Password length: Enabled (10 characters)

Password composition: Enabled (1 types, 1 characters per type)

Password history: Enabled (max history records:4)

Early notice on password expiration: 7 days

Maximum login attempts: 3

Action for exceeding login attempts: Lock user for 1 minutes

Password history was last reset: 0 days ago (device management users)

0 days ago (network access users)

Minimum interval between two updates: 24 hours

User account idle time: 90 days

Logins with aged password: 3 times in 30 days

Password complexity: Disabled (username checking)

Disabled (repeated characters checking)

Password change: Enabled (first login)

Enabled (mandatory weak password change)

User information in blacklist: Username-only

# Display the password control configuration for super passwords.

<Sysname> display password-control super

Super password control configurations:

Password aging: Enabled (90 days)

Password length: Enabled (10 characters)

Password composition: Enabled (1 types, 1 characters per type)

Table 1 Command output

Field	Description
Password control	Whether the password control feature is enabled for device management users or network access users.
Password aging	Whether password expiration is enabled and, if enabled, the aging time.
Password length	Whether the minimum password length restriction feature is enabled and, if enabled, the setting.
Password composition	Whether the password composition restriction feature is enabled and, if enabled, the settings.
Password history	Whether the password history management feature is enabled and, if enabled, the setting.
Early notice on password expiration	Number of days during which the user is notified of the pending password expiration.
Maximum login attempts	Allowed maximum number of consecutive failed login attempts for FTP and VTY users.
Action for exceeding login attempts	Action to be taken after a user fails to log in after the specified number of attempts.
Password history was last reset	Last time when the password history records of the device management or network access users were deleted.
Minimum interval between two updates	Minimum password update interval.
Logins with aged password	Number of times and maximum number of days a user can log in using an expired password.
Password complexity	Whether the following password complexity checking is enabled: · username checking—Checks whether a password contains the username or the reverse of the username. · repeated characters checking—Checks whether a password contains any character that appears consecutively three or more times.
Password change	Status of the password change at first login feature: · Enabled (first login). · Disabled (first login). · Enabled (mandatory weak password change). · Disabled (mandatory weak password change).
User information in blacklist	User information items added to the password control blacklist: · Username-only—Only usernames are added to the password control blacklist. · Username and IP—Both usernames and IP addresses are added to the password control blacklist.

‌

display password-control blacklist

Use display password-control blacklist to display password control blacklist information.

Syntax

display password-control blacklist [ user-name user-name | ip ipv4-address | ipv6 ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

user-name user-name: Specifies a user by its username, a string of 1 to 55 characters. You can specify a pure username or specify a pure username and its domain name in the format of pure usernname@domain name. The pure username is case sensitive. The domain name is case-insensitive.

ip ipv4-address: Specifies the IPv4 address of a user.

ipv6 ipv6-address: Specifies the IPv6 address of a user.

Usage guidelines

If you do not specify any parameters, this command displays information about all users in the password control blacklist.

When the console users fail login, only their user accounts can be added to the password control blacklist because the system is unable to obtain the IP addresses of these users. When FTP, Web, or virtual terminal line (VTY) users fail login, both their IP addresses and user accounts can be added to the password control blacklist. The user information items specified by the password-control blacklist user-info username-only command will be added to the password control blacklist.

The device will create a blacklist entry for each IP address for a user account when the following conditions are both met:

· Both usernames and IP addresses are added to the password control blacklist.

· A user uses the same user account to log in to the device from different IP addresses and fails the logins.

When the maximum number of blacklist entries for the user account is reached, a blacklist entry for a new IP address of the user account will overwrite the earliest blacklist entry for the user account.

Examples

# Display the password control blacklist where only usernames are added.

<Sysname> display password-control blacklist

Per-user blacklist limit: 32.

Blacklist items matched: 1.

Username Login failures Lock flag

con 2 unlock

abcd 4 lock

admin 1 unlock

# Display the password control blacklist where both usernames and IP addresses are added.

<Sysname> display password-control blacklist

Per-user blacklist limit: 100.

Blacklist items matched: 2.

Username IP address Login failures Lock flag

abcd 169::168:34:1 4 lock

admin 192.168.34.1 1 unlock

Table 2 Command output

Field	Description
Per-user blacklist limit	Maximum number of blacklist entries for a user account.
Blacklist items matched	Number of blacklisted users.
IP address	IP address of the user. This field displays hyphens (-) for users that logged in to the device through console ports. This field is not available if the password control blacklist contains only usernames.
Login failures	Number of login failures.
Lock flag	Whether the user account is locked for the user: · unlock—Not locked. · lock—Locked temporarily or permanently, depending on the password-control login-attempt command. The user cannot use the locked user account to log in.

‌

password-control { composition | history | length } enable

Use password-control { composition | history | length } enable to enable a password restriction feature.

Use undo password-control { aging | composition | history | length } enable to disable a password restriction feature.

Syntax

password-control { composition | history | length } enable

undo password-control { composition | history | length } enable

Default

The password restriction features are all enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

composition: Enables the password composition restriction.

history: Enables the password history management feature.

length: Enables the minimum password length restriction.

Usage guidelines

The password history management feature takes effect only after the global password control feature is also enabled.

The password composition restriction and the minimum password length restriction are enabled by default regardless of whether or not the global password control feature is enabled. By default, a password must contain a minimum of four different characters.

If a password of a device management user is in hashed form, a restriction setting does not take effect for the password even when the following requirements are met:

· The global password control feature is enabled.

· The specific password restriction feature is enabled.

For more information about configuring a password for a device management user, see "AAA commands."

If the password history management is disabled, the system will not compare the new password with history passwords, but the system will not stop recording history passwords. When the number of history password records of a user reaches the maximum number set by the password-control history command, the newest history record overwrites the earliest one.

Examples

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

# Enable the password composition restriction.

[Sysname] password-control composition enable

# Enable the minimum password length restriction.

[Sysname] password-control length enable

# Enable the password history management feature.

[Sysname] password-control history enable

Related commands

display password-control

password-control enable

password-control aging

Use password-control aging to set the password aging time.

Use undo password-control aging to restore the default.

Syntax

password-control aging aging-time

undo password-control aging

Default

A password expires after 90 days. The password aging time for a user group equals the global setting. The password aging time for a local user equals that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

context-admin

Parameters

aging-time: Specifies the password aging time in days, in the range of 1 to 365.

Usage guidelines

The aging time depends on the view:

· The time in system view has global significance and applies to all user groups.

· The time in user group view applies to all local users in the user group.

· The time in local user view applies only to the local user.

A password aging time with a smaller application scope has higher priority. The system prefers to use the non-default password aging time in local user view for a local user.

· If the default password aging time is configured for the local user, the system uses the non-default password aging time for the user group to which the local user belongs.

· If the default password aging time is configured for the user group, the system uses the global password aging time.

Examples

# Globally set the passwords to expire after 80 days.

<Sysname> system-view

[Sysname] password-control aging 80

# Set the passwords for user group test to expire after 90 days.

[Sysname] user-group test

[Sysname-ugroup-test] password-control aging 90

[Sysname-ugroup-test] quit

# Set the password for device management user abc to expire after 100 days.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control aging 100

Related commands

display local-user ‌

display password-control

display user-group ‌

password-control aging enable

Use password-control aging enable to enable the password expiration feature.

Use undo password-control aging enable to disable the password expiration feature.

Syntax

password-control aging enable

undo password-control aging enable

Default

The password expiration feature is enabled.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

context-admin

Usage guidelines

To enable the password expiration feature for a local user, make sure the feature is enabled in system view, user group view, and local user view.

The password expiration enablement setting depends on the view:

· The setting in system view has global significance and applies to all user groups.

· The setting in user group view applies to all local users in the user group.

· The setting in local user view applies only to the local user.

The password expiration setting with a smaller application scope has higher priority. The system prefers to use the non-default password expiration setting in local user view for a local user.

· If the default setting is configured for the local user, the system uses the non-default setting for the user group to which the local user belongs.

· If the default setting is configured for the user group, the system uses the global setting.

Examples

# Disable the password expiration feature globally.

<Sysname> system-view

[Sysname] undo password-control aging enable

# Disable the password expiration feature for user group test.

[Sysname] user-group test

[Sysname-ugroup-test] undo password-control aging enable

[Sysname-ugroup-test] quit

# Disable the password expiration feature for device management user abc.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] undo password-control aging enable

Related commands

display password-control

password-control enable

password-control alert-before-expire

Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.

Use undo password-control alert-before-expire to restore the default.

Syntax

password-control alert-before-expire alert-time

undo password-control alert-before-expire

Default

The default is 7 days.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.

Usage guidelines

This command is effective only for non-FTP users. FTP users can only have their passwords changed by the administrator.

Examples

# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.

<Sysname> system-view

[Sysname] password-control alert-before-expire 10

Related commands

display password-control

password-control blacklist user-info username-only

Use password-control blacklist user-info username-only to add only usernames of users failing authentication to the password control blacklist.

Use undo password-control blacklist user-info to restore the default.

Syntax

password-control blacklist user-info username-only

undo password-control blacklist user-info

Default

Both usernames and IP addresses are added to the password control blacklist when users fail authentication.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

If the user information items to add to the password control blacklist change, the system will clear the password control blacklist and restart the recording.

Examples

# Add only usernames to the password control blacklist when users fail authentication.

<Sysname> system-view

[Sysname] password-control blacklist user-info username-only

Related commands

display password-control

display password-control blacklist

reset password-control blacklist

password-control change-password first-login enable

Use password-control change-password first-login enable to enable the password change at first login feature.

Use undo password-control change-password first-login enable to disable the password change at first login feature.

Syntax

password-control change-password first-login enable

undo password-control change-password first-login enable

Default

The password change at first login feature is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

For the password change at first login feature to take effect, make sure the global password control is enabled.

Examples

# Enable the password change at first login feature.

<Sysname> system-view

[Sysname] password-control change-password first-login enable

Related commands

display password-control

password-control enable

password-control change-password weak-password enable

Use password-control change-password weak-password enable to enable mandatory weak password change.

Use undo password-control change-password weak-password enable to disable mandatory weak password change.

Syntax

password-control change-password weak-password enable

undo password-control change-password weak-password enable

Default

The mandatory weak password change feature is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

The system checks for weak login passwords for Telnet, SSH, HTTP, or HTTPS device management users. A password is weak if it does not meet the following requirements:

· Password composition restriction.

· Minimum password length restriction.

· Password complexity checking policy.

The mandatory weak password change feature is disabled by default. The system displays a message about a weak password but does not force the user to change it. To improve the device security, you can enable the mandatory weak password change feature, which forces the users to change the identified weak passwords. The users can log in to the device only after their passwords meet the password requirements.

To view the current password control settings, use the display password-control command. To change the password composition restriction, minimum password length, and password complexity checking policy, use the password-control composition, password-control length, and password-control complexity commands, respectively.

Examples

# Enable the mandatory weak password change feature.

<Sysname> system-view

[Sysname] password-control change-password weak-password enable

Related commands

display password-control

password-control { aging | composition | history | length }

password-control complexity

password-control composition

password-control length

password-control enable

password-control complexity

Use password-control complexity to configure the password complexity checking policy.

Use undo password-control complexity to remove a password complexity checking item.

Syntax

password-control complexity { same-character | user-name } check

undo password-control complexity { same-character | user-name } check

Default

The global password complexity checking policy is that username checking is enabled and repeated character checking is disabled.

The password complexity checking policy for a user group equals the global setting.

The password complexity checking policy for a local user equals that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

context-admin

Parameters

same-character: Refuses a password that contains a minimum of three consecutive identical characters. For example, the password aaabc is not complex enough.

user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.

Usage guidelines

The password complexity checking policy depends on the view:

· The policy in system view has global significance and applies to all user groups.

· The policy in user group view applies to all local users in the user group.

· The policy in local user view applies only to the local user.

A password complexity checking policy with a smaller application scope has higher priority. The system prefers to use the non-default password complexity checking policy in local user view for a local user.

· If the default policy is configured for the local user, the system uses the non-default policy for the user group to which the local user belongs.

· If the default policy is configured for the user group, the system uses the global policy.

Username checking is independent of whether or not the global password control feature is enabled.

You can enable both username checking and repeated character checking.

Examples

# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.

<Sysname> system-view

[Sysname] password-control complexity user-name check

Related commands

display local-user ‌

display password-control

display user-group ‌

password-control composition

Use password-control composition to configure the password composition policy.

Use undo password-control composition to restore the default.

Syntax

password-control composition type-number type-number [ type-length type-length ]

undo password-control composition

Default

The global composition policy requires that a password must contain a minimum of two character types and a minimum of one character for each type.The password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

context-admin

Parameters

type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4.

type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63.

Usage guidelines

The password composition policy depends on the view:

· The policy in system view has global significance and applies to all user groups.

· The policy in user group view applies to all local users in the user group.

· The policy in local user view applies only to the local user.

A password composition policy with a smaller application scope has higher priority. The system prefers to use the non-default password composition policy in local user view for a local user.

· If the default policy is configured for the local user, the system uses the non-default policy for the user group to which the local user belongs.

· If the default policy is configured for the user group, the system uses the global policy.

The product of the minimum number of character types and minimum number of characters for each type cannot be greater than the maximum length of passwords.

Examples

# Specify that all passwords must each contain a minimum of four character types and a minimum of five characters for each type.

<Sysname> system-view

[Sysname] password-control composition type-number 4 type-length 5

# Specify that passwords in user group test must contain a minimum of four character types and a minimum of five characters for each type.

[Sysname] user-group test

[Sysname-ugroup-test] password-control composition type-number 4 type-length 5

[Sysname-ugroup-test] quit

# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5

Related commands

display local-user ‌

display password-control

display user-group ‌

password-control composition enable

password-control enable

Use password-control enable to enable the password control feature globally.

Use undo password-control enable to disable the password control feature globally.

Syntax

password-control enable [ network-class ]

undo password-control enable [ network-class ]

Default

The password control feature is disabled globally for device management and network access users.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

network-class: Enables global password control for network access users. If you do not specify this keyword, the command enables global password control for device management users.

Usage guidelines

When you enable global password control, the device automatically generates a .dat file and saves the file to the storage media. The file is used to record authentication and login information of local users. Do not manually delete or modify the file.

The password composition policy, minimum password length, and username checking are independent of the global password control feature. Other password control features take effect only after the global password control feature is also enabled.

After the global password control feature is enabled, the passwords configured for local users must contain a minimum of four different characters.

After the global password control feature is enabled for device management users, you cannot display the password and super password configuration for device management users by using the corresponding display commands.

After the global password control feature is enabled for network access users, you cannot display the password configuration for network access users by using the corresponding display commands.

You can configure all password control features for device management users.

You can configure only the following password control features for network access users:

· Password complexity checking policy.

· Password composition policy.

· Minimum password length.

· Minimum password update interval.

· Maximum number of history password records for each user.

Examples

# Enable the password control feature globally for device management users.

<Sysname> system-view

[Sysname] password-control enable

# Enable the password control feature globally for network access users.

<Sysname> system-view

[Sysname] password-control enable network-class

Related commands

display password-control

password-control complexity

password-control { aging | composition | history | length } enable

password-control update-interval

password-control expired-user-login

Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.

Use undo password-control expired-user-login to restore the defaults.

Syntax

password-control expired-user-login delay delay times times

undo password-control expired-user-login

Default

A user can use an expired password to log in three times within 30 days after the password expires. If all the three attempts fail or the user makes a login attempt after 30 days, the system prompts the user to set a new password.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

delay delay: Specifies the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.

times times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10. For a user to set a new password at the system prompt immediately after the password expires, set the value to 0.

Usage guidelines

This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.

Examples

# Allow a user to log in five times within 60 days after the password expires.

<Sysname> system-view

[Sysname] password-control expired-user-login delay 60 times 5

Related commands

display password-control

password-control history

Use password-control history to set the maximum number of history password records for each user.

Use undo password-control history to restore the default.

Syntax

password-control history max-record-number

undo password-control history

Default

The maximum number of history password records for each user is 4.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15.

Usage guidelines

The global password control feature enables the system to record history passwords. When the number of history password records of a user reaches the maximum number, the newest history record overwrites the earliest one.

To delete the existing records, use one of the following methods:

· Use the undo password-control enable command to disable the password control feature globally.

· Use the reset password-control history-record command to clear the passwords manually.

Examples

# Set the maximum number of history password records for each user to 10.

<Sysname> system-view

[Sysname] password-control history 10

Related commands

display password-control

password-control history enable

reset password-control blacklist

password-control length

Use password-control length to set the minimum password length.

Use undo password-control length to restore the default.

Syntax

password-control length length

undo password-control length

Default

The global minimum password length is 10 characters.The minimum password length for a user group equals the global setting. The minimum password length for a local user equals that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

context-admin

Parameters

length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32.

Usage guidelines

The minimum length setting depends on the view:

· The setting in system view has global significance and applies to all user groups.

· The setting in user group view applies to all local users in the user group.

· The setting in local user view applies only to the local user.

A minimum password length with a smaller application scope has higher priority. The system prefers to use the non-default minimum password length in local user view for a local user.

· If the default minimum password length is configured for the local user, the system uses the non-default minimum password length for the user group to which the local user belongs.

· If the default minimum password length is configured for the user group, the system uses the global minimum password length.

Examples

# Set the global minimum password length to 16 characters.

<Sysname> system-view

[Sysname] password-control length 16

# Set the minimum password length to 16 characters for the user group test.

[Sysname] user-group test

[Sysname-ugroup-test] password-control length 16

[Sysname-ugroup-test] quit

# Set the minimum password length to 16 characters for the device management user abc.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control length 16

Related commands

display local-user ‌

display password-control

display user-group ‌

password-control length enable

password-control login idle-time

Use password-control login idle-time to set the maximum account idle time.

Use undo password-control login idle-time to restore the default.

Syntax

password-control login idle-time idle-time

undo password-control login idle-time

Default

The maximum account idle time is 90 days.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time.

Usage guidelines

If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.

The account might become invalid if the system time changes after your last successful login. You cannot use an invalid account to log in. To disable the account idle time restriction, set the idle time value to 0.

Examples

# Set the maximum account idle time to 30 days.

<Sysname> system-view

[Sysname] password-control login idle-time 30

Related commands

display password-control

password-control login-attempt

Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.

Use undo password-control login-attempt to restore the default.

Syntax

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

undo password-control login-attempt

Default

The global login-attempt settings:

· The maximum number of consecutive login failures is 3.

· The locking period is 1 minute.

The login-attempt settings for a user group equal the global settings.

The login-attempt settings for a local user equal those for the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

context-admin

Parameters

exceed: Specifies an action if the user fails the maximum number of consecutive login attempts.

· lock: Locks the user account and the user's IP address permanently. No one can use this user account to log in from this locked IP address.

· lock-time time: Locks the user account and the user's IP address for a period of time. When the locking timer expires, users can use this user account to log in from the IP address. The value range for the time argument is 1 to 360 minutes.

· unlock: Does not lock the user account. The user can continue using this account to make login attempts from the current IP address.

Usage guidelines

The login-attempt policy depends on the view:

· The policy in system view has global significance and applies to all user groups.

· The policy in user group view applies to all local users in the user group.

· The policy in local user view applies only to the local user.

A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the non-default login-attempt policy in local user view for a local user.

· If the default policy is configured for the local user, the system uses the non-default policy for the user group to which the local user belongs.

· If the default policy is configured for the user group, the system uses the global policy.

If an FTP, Web, or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.

Whether a blacklisted user and user account are locked depends on the locking setting:

· If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.

· To use a temporarily locked user account, the user can perform either of the following tasks:

¡ Wait until the locking timer expires.

¡ Remove the user account from the password control blacklist.

· If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.

NOTE:

This account is locked only for the user at the locked IP address. A user from an unlocked IP address can still use this account, and the user at the locked IP address can use other unlocked user accounts.

‌

The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.

Examples

# Allow a maximum of four consecutive login failures on a user account, and lock the user account and the user's IP address permanently if the limit is reached.

<Sysname> system-view

[Sysname] password-control login-attempt 4 exceed lock

# Use the user account test to log in to the device, and enter incorrect password for four times.

# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.

[Sysname] display password-control blacklist

Per-user blacklist limit: 100.

Blacklist items matched: 1.

Username IP address Login failures Lock flag

test 192.168.44.1 4 lock

# Verify that the user at 192.168.44.1 cannot use this user account to log in.

# Allow a maximum of two consecutive login failures on a user account, and lock the account for 3 minutes if the limit is reached.

<Sysname> system-view

[Sysname] password-control login-attempt 2 exceed lock-time 3

# Use the user account test to log in to the device, and enter incorrect password for two attempts.

# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.

[Sysname] display password-control blacklist

Per-user blacklist limit: 100.

Blacklist items matched: 1.

Username IP address Login failures Lock flag

test 192.168.44.1 2 lock

# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.

Related commands

display local-user ‌

display password-control

display password-control blacklist

display user-group ‌

reset password-control blacklist

password-control per-user blacklist-limit

Use password-control per-user blacklist-limit to set the maximum number of blacklist entries for a user account.

Use undo password-control per-user blacklist-limit to restore the default.

Syntax

password-control per-user blacklist-limit max-number

undo password-control per-user blacklist-limit

Default

The maximum number of blacklist entries for a user account is 32.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

max-number: Maximum number of blacklist entries that the device can record for a single user account. The value range is 1 to 4294967295.

Usage guidelines

For an FTP, a VTY, or a Web user that fails login, the system adds the username and IP address of the user to the password control blacklist.

If such a user uses the same user account to log in to the device from different IP addresses and fails the logins, the device will create a blacklist entry for each IP address for the user account. When the maximum number of blacklist entries for the user account is reached, a blacklist entry for a new IP address of the user account will overwrite the earliest blacklist entry for the user account.

Examples

# Set the maximum number of blacklist entries for a user account to 100.

<Sysname> system-view

[Sysname] password-control per-user blacklist-limit 100

Related commands

display password-control blacklist

password-control login-attempt

reset password-control blacklist

password-control super aging

Use password-control super aging to set the aging time for super passwords.

Use undo password-control super aging to restore the default.

Syntax

password-control super aging aging-time

undo password-control super aging

Default

A super password expires after 90 days.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

aging-time: Specifies the super password aging time in days, in the range of 1 to 365.

Examples

# Set the super passwords to expire after 10 days.

<Sysname> system-view

[Sysname] password-control super aging 10

Related commands

display password-control

password-control aging

password-control super composition

Use password-control super composition to configure the composition policy for super passwords.

Use undo password-control super composition to restore the default.

Syntax

password-control super composition type-number type-number [ type-length type-length ]

undo password-control super composition

Default

A super password must contain a minimum of two character types and a minimum of one character for each type.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4.

type-length type-length: Specifies the minimum number of characters that are from each character type. The value range for the type-length argument is 1 to 63.

Usage guidelines

The product of the minimum number of character types and minimum number of characters for each type cannot be greater than the maximum length of the super password.

Examples

# Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type.

<Sysname> system-view

[Sysname] password-control super composition type-number 4 type-length 5

Related commands

display password-control

password-control composition

password-control super length

Use password-control super length to set the minimum length for super passwords.

Use undo password-control super length to restore the default.

Syntax

password-control super length length

undo password-control super length

Default

The minimum super password length is 10 characters.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63.

Examples

# Set the minimum length of super passwords to 16 characters.

<Sysname> system-view

[Sysname] password-control super length 16

Related commands

display password-control

password-control length

password-control update-interval

Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords.

Use undo password-control update-interval to restore the default.

Syntax

password-control update-interval interval

undo password-control update-interval

Default

The minimum password update interval is 24 hours.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.

Usage guidelines

The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.

Examples

# Set the minimum password update interval to 36 hours.

<Sysname> system-view

[Sysname] password-control update-interval 36

Related commands

display password-control

reset password-control blacklist

Use reset password-control blacklist to remove blacklisted users.

Syntax

reset password-control blacklist [ user-name user-name ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

user-name user-name: Specifies the username of a user account to be removed from the password control blacklist. The username is a string of 1 to 55 characters. You can specify a pure username or specify a pure username and its domain name in the format of pure usernname@domain name. The pure username is case sensitive. The domain name is case-insensitive.

Usage guidelines

You can use this command to remove a user account and the user's IP address that are blacklisted due to excessive login failures. Then the user at this IP address can use this user account to log in.

Examples

# Remove the user account named test from the password control blacklist.

<Sysname> reset password-control blacklist user-name test

Are you sure to delete the specified user in blacklist? [Y/N]:

Related commands

display password-control blacklist

reset password-control history-record

Use reset password-control history-record to delete history password records.

Syntax

reset password-control history-record [ super [ role role name ] | user-name user-name | network-class [ user-name user-name ] ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

super: Deletes the history records of the specified super password or all super passwords.

role role name: Specifies a user role name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command deletes the history records of all super passwords.

network-class: Deletes the history password records of network access users. If you do not specify this keyword, the command deletes the history password records of device management users.

user-name user-name: Specifies the username of the user whose password records are to be deleted. The user-name argument is a string of 1 to 55 characters. You can specify a pure username or specify a pure username and its domain name in the format of pure usernname@domain name. The pure username is case sensitive. The domain name is case-insensitive. If you do not specify a username, this command deletes all history password records of the specified user type.

Usage guidelines

If you do not specify any parameters, this command deletes the history password records of all device management users.

Examples

# Clear the history password records of all device management users.

<Sysname> reset password-control history-record

Are you sure to delete all local user's history records? [Y/N]:y

# Delete the history password records of all network access users.

<Sysname> reset password-control history-record network-class

Are you sure you want to delete all network access users' history records? [Y/N]:y

Related commands

password-control history

03-Security Command Reference

password-control expired-user-login

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us