R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

451

452

453

454

455

456

457

458

459

460

444

Password combination

level

Minimum number of

character t

Minimum number of characters for

each t

Level 3 Three One

Level 4 Four One

In non-FIPS mode, all the combination levels are available for a password. In FIPS mode, only the

level 4 combination is available for a password.

When a user sets or changes the password, the system checks if the password meets the

composition requirement. If not, the system displays an error message.

• Password complexity checking policy

A less complicated password such as a password containing the username or repeated characters

is more likely to be cracked. For higher security, you can configure a password complexity

checking policy to make sure all user passwords are relatively complicated. With such a policy

configured, when a user configures a password, the system checks the complexity of the password.

If the password is complexity-incompliant, the system refuses the password and displays a

password configuration failure message.

You can apply the following password complexity requirements:

{ A password cannot contain the username or the reverse of the username. For example, if the

username is abc, a password such as abc982 or 2cba is not complex enough.

{ No character of the password is repeated three or more times consecutively. For example,

password a111 is not complex enough.

• Password display in the form of a string of asterisks (*)

For security purposes, the password a user enters is displayed in the form of a string of asterisks

(*).

• Authentication timeout management

Authentication timeout management is only for Telnet and Terminal users.

The authentication period is from when the server obtains the username to when the server finishes

authenticating the user's password. If a user fails to log in within the configured period of time, the

system tears down the connection.

• Maximum account idle time

You can set the maximum account idle time to make accounts idle for this period of time become

invalid and unable to log in again. For example, if you set the maximum account idle time to 60

days and the user with the account test has not logged in successfully within 60 days after the last

successful login, the account becomes invalid and the user is unable to log in again.

• Logging

The system logs all successful password changing events and the events of adding users to the

password control blacklist.

FIPS compliance

Table 23 shows the support of devices for the FIPS mode that complies with NIST FIPS 140-2 requirements.

Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For

more information about FIPS mode, see "Configuring FIPS."