Managing Password Policy
You can change the password policy and strength in the Administration > Security: Password Policy page.
Selecting a Password Policy
You can choose one of these password policy templates, depending on your security requirements:
• Strong - Sets the password policy to more stringent enforcement settings. Selecting this template automatically prepopulates the password policy with stricter settings commonly required by higher security standards such as for the Department of Defense.
• Basic - Reverts the password policy to its predefined settings so you can customize your policy.
To set a password policy
1. Choose Administration > Security: Password Policy to display the Password Policy page.
Figure: Password Policy Page
2. Select the Enable Account Control check box to set a password policy. Enabling account control makes password use mandatory.
Passwords for all users expire as soon as account control is enabled. Account control forces all users to create new passwords that follow the password requirements defined in the password policy. All new passwords are then controlled by the password policy.
The passwords also expire after the number of days specified by the administrator in the Password Policy page. As a consequence of this change, when users try to log in to the Management Console and their password has expired, the Expired Password page asks them to change their password. After they change their password, the system automatically logs them in to the Management Console.
RiOS doesn’t allow empty passwords when account control is enabled.
3. Optionally, select either the Basic or Strong template. When you select the basic template, the system prepopulates the page with the secure settings. Also, the system prompts a user logging into the SteelHead after 60 days to change their password. By default, RiOS locks out a user logging into the SteelHead after 300 days without a password change. After the system locks them out, an administrator must unlock the user account. For more details on unlocking user accounts, see
Unlocking an Account.
4. Under Password Management, complete the configuration as described in this table.
Control | Description |
Login Attempts Before Lockout | Specify the maximum number of unsuccessful login attempts before temporarily blocking user access to the SteelHead. The user is prevented from further login attempts when the number is exceeded. The default for the strong security template is 3. The lockout expires after the amount of time specified in Timeout for User Login After Lockout elapses. |
Timeout for User Login After Lockout | Specify the amount of time, in seconds, that must elapse before a user can attempt to log in after an account lockout due to unsuccessful login attempts. The default for the strong security template is 300. |
Days Before Password Expires | Specify the number of days the current password remains in effect. The default for the strong security template is 60. To set the password expiration to 24 hours, specify 0. To set the password expiration to 48 hours, specify 1. Leave blank to turn off password expiration. |
Days to Warn User of an Expiring Password | Specify the number of days the user is warned before the password expires. The default for the strong security template is 7. |
Days to Keep Account Active After Password Expires | Specify the number of days the account remains active after the password expires. The default for the strong security template is 305. When the time elapses, RiOS locks the account permanently, preventing any further logins. |
Days Between Password Changes | Specify the minimum number of days before which passwords can’t be changed. |
Minimum Interval for Password Reuse | Specify the number of password changes allowed before a password can be reused. The default for the strong security template is 5. |
5. Under Password Characteristics, complete the configuration as described in this table.
Control | Description |
Minimum Password Length | Specify the minimum password length. The default for the strong security template is 14 alphanumeric characters. |
Minimum Uppercase Characters | Specify the minimum number of uppercase characters required in a password. The default for the strong security template is 1. |
Minimum Lowercase Characters | Specify the minimum number of lowercase characters required in a password. The default for the strong security template is 1. |
Minimum Numerical Characters | Specify the minimum number of numerical characters required in a password. The default for the strong security template is 1. |
Minimum Special Characters | Specify the minimum number of special characters required in a password. The default for the strong security template is 1. |
Minimum Character Differences Between Passwords | Specify the minimum number of characters that must be changed between the old and new password. The default for the strong security template is 4. |
Maximum Consecutively Repeating Characters | Specify the maximum number of times a character can occur consecutively. |
Prevent Dictionary Words | Select to prevent the use of any word that is found in a dictionary as a password. By default, this control is enabled. |
6. Click Save to Disk to save your settings permanently.
Unlocking an Account
RiOS temporarily locks out an account after a user exceeds the configured number of login attempts. Account lockout information appears on the Administration > Security: User Permissions page.
When an account is locked out, the lockout ends after:
• The configured lockout time elapses.
—or—
• The administrator unlocks the account. RiOS never locks out administrator accounts.
To unlock an account
1. Log in as an administrator (admin).
2. Choose Administration > Security: User Permissions page and click Clear Login Failure Details.
When users log into their account successfully, RiOS resets the login failure count.
Resetting an Expired Password
RiOS temporarily locks out an account when its password expires. Passwords expire for one of these reasons:
• An administrator enables account control.
• The expiration time for a password elapses.
• An administrator disables a user account and then enables it.
• An administrator uses a CLI command to encrypt a password.
After a user password expires, users must update their password within the number of days specified in Days to Keep Account Active After Password Expires. The default value is 305 days. After the time elapses, RiOS locks the account permanently, preventing any further logins.
To reset the password and unlock the account
1. Log in as an administrator (admin).
2. Choose Administration > Security: User Permissions page and click Clear Login Failure Details.
3. Type and confirm the new password and click Change Password.
Note: The password reset feature is separate from the account lockout feature.