HP 12500 Series Configuration Manual page 156

Password history
•
With this feature enabled, the system maintains certain entries of passwords that a user has used.
When a user changes the password, the system checks the new password against the used ones.
The new password must be different from the used ones by at least four characters and the four
characters must not be the same. Otherwise, the user will fail to change the password and the
system displays an error message.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the latest record will
overwrite the earliest one.
• Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password
guessing.
If an FTP or a virtual terminal line (VTY) user fails authentication due to a password error, the
system adds the user to a blacklist. If a user fails to provide the correct password after the specified
number of consecutive attempts, the system takes action as configured:
Prohibiting the user from logging in until the user is removed from the blacklist manually.
Allowing the user to try continuously and removing the user from the blacklist when the user
logs in to the system successfully or the blacklist entry times out (the blacklist entry aging time
is 1 minute).
Prohibiting the user from logging in within a configurable period of time, and allowing the user
to log in again after the period of time elapses or the user is removed from the blacklist.
A blacklist can contain up to 1024 entries.
A login attempt using a wrong username will undoubtedly fail but the username will not be added
into the blacklist.
Users accessing the system through the Console or AUX interface are not blacklisted, because the
system is unable to obtain the IP addresses of these users and these users are privileged and
therefore relatively secure to the system.
Password composition checking
•
A password can be a combination of characters from the following four types:
Uppercase letters A to Z
Lowercase letters a to z
Digits 0 to 9
32 special characters: blank space, tilde (~), back quote (`), exclamation point (!), at sign (@),
pound sign (#), dollar sign ($), percent sign (%), caret (^), ampersand sign (&), asterisk (*), left
parenthesis ("("), right parenthesis (")"), underscore (_), plus sign (+), minus sign (-), equal sign
(=), left brace ({), right brace (}), vertical bar (|), left bracket ([), right bracket (]), back slash (\),
colon (:), quotation marks ("), semi-colon (;), apostrophe ('), left angle bracket (<), right angle
bracket (>), comma (,), dot (.), and slash (/)
Depending on the system security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters that are from each type in
the password.
There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing
the number of character types that a password must at least contain. Level 1 means that a
password must contain characters of one type, level 2 at least two types, and so on.
146