R2511-HP MSR Router Series Security Configuration Guide(V5)
443
With this feature enabled, the system maintains passwords that a user has used. When a user
changes the password, the system checks the new password against the used ones. The new
password must be different from the used ones by at least four characters and the four characters
must not be the same. Otherwise, the user will fail to change the password and the system displays
an error message.
You can set the maximum number of history password records for the system to maintain for each
user. When the number of history password records exceeds your setting, the most recent record
overwrites the earliest one.
• Login attempt limit
Limiting the number of consecutive failed login attempts can effectively prevent password
guessing.
If an FTP or VTY user fails authentication, the system adds the user to a password control blacklist.
If a user fails to provide the correct password after the specified number of consecutive attempts,
the system takes one of the following actions:
{ Prohibits the user from logging in until the user is removed from the password control blacklist
manually.
{ Allows the user to try continuously and removes the user from the password control blacklist
when the user logs in to the system successfully or the blacklist entry times out (the blacklist entry
aging time is 1 minute).
{ Prohibits the user from logging in within a configurable period of time, and allows the user to
log in again after the period of time elapses or the user is removed from the password control
blacklist.
A password control blacklist can contain up to 1024 entries.
A login attempt using a wrong username will undoubtedly fail but the username will not be added
into the password control blacklist.
Web users failing login authentication are not blacklisted. Users accessing the system through the
console or AUX ports are not blacklisted either, because the system is unable to obtain the IP
addresses of these users and these users are privileged and therefore relatively secure to the
system.
• Password composition policy
A password can be a combination of characters from the following types:
{ Uppercase letters A to Z.
{ Lowercase letters a to z.
{ Digits 0 to 9.
{ Special characters. For information about special characters, see the password command in
Security Command Reference.
Depending on the system's security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters for each type, as shown
in Table 22.
Table 22 Password c
omposition policy
Password combination
level
Minimum number of
character t
yp
es
Minimum number of characters for
each t
yp
e
Level 1 One One
Level 2 Two One