Managing password policy
You can change the password policy and strength in the Administration > Security: Password Policy page.
Selecting a password policy
You can choose one of these password policy templates, depending on your security requirements:
• Strong—Sets the password policy to more stringent enforcement settings. Selecting this template automatically prepopulates the password policy with stricter settings commonly required by higher security standards such as for the Department of Defense.
• Basic—Reverts the password policy to its predefined settings so you can customize your policy.
To set a password policy
1. Choose Administration > Security: Password Policy to display the Password Policy page.
Password Policy page
2. Select the Enable Account Control check box to set a password policy. Enabling account control makes password use mandatory.
Passwords for all users expire as soon as account control is enabled. Account control forces all users to create new passwords that follow the password requirements defined in the password policy. All new passwords are then controlled by the password policy.
The passwords also expire after the number of days specified by the administrator in the Password Policy page. As a consequence of this change, when users try to log in to the Management Console and their password has expired, the Expired Password page asks them to change their password. After they change their password, the system automatically logs them in to the Management Console.
RiOS doesn’t allow empty passwords when account control is enabled.
3. Optionally, select either the Basic or Strong template.
When you select the basic template, the system prepopulates the page with the secure settings. Also, the system prompts a user logging into the SteelHead after 60 days to change their password. By default, RiOS locks out a user logging into the SteelHead after 300 days without a password change. After the system locks them out, an administrator must unlock the user account. For more details on unlocking user accounts, see
Unlocking an account.
4. Under Password Management, complete the configuration as described in this table.
Control | Description |
Login Attempts Before Lockout | Specify the maximum number of unsuccessful login attempts before temporarily blocking user access to the SteelHead. The user is prevented from further login attempts when the number is exceeded. The default for the strong security template is 3. The lockout expires after the amount of time specified in Timeout for User Login After Lockout elapses. |
Timeout for User Login After Lockout | Specify the amount of time, in seconds, that must elapse before a user can attempt to log in after an account lockout due to unsuccessful login attempts. The default for the strong security template is 300. |
Days Before Password Expires | Specify the number of days the current password remains in effect. The default for the strong security template is 60. To set the password expiration to 24 hours, specify 0. To set the password expiration to 48 hours, specify 1. Leave blank to turn off password expiration. |
Days to Warn User of an Expiring Password | Specify the number of days the user is warned before the password expires. The default for the strong security template is 7. |
Days to Keep Account Active After Password Expires | Specify the number of days the account remains active after the password expires. The default for the strong security template is 305. When the time elapses, RiOS locks the account permanently, preventing any further logins. |
Days Between Password Changes | Specify the minimum number of days before which passwords can’t be changed. |
Minimum Interval for Password Reuse | Specify the number of password changes allowed before a password can be reused. The default for the strong security template is 5. |
Enable Temporary Password Setting | Specify a temporary password to improve security and to conform to NIST requirements. A temporary password can be enabled only if Account Control is enabled. If a temporary password is set, then the password set by the Admin or Sys Admin for the new user shall expire on the first log in of the new user. A password expired page will appear for new users after the first login. If a temporary password is set and the Admin or Sys Admin resets the password for the existing user, the password will expire at the first log in after the reset. A password expired page will appear for existing users upon the first login after a password reset. |
5. Under Password Characteristics, complete the configuration as described in this table.
Control | Description |
Minimum Password Length | Specify the minimum password length. The default for the strong security template is 14 alphanumeric characters. |
Minimum Uppercase Characters | Specify the minimum number of uppercase characters required in a password. The default for the strong security template is 1. |
Minimum Lowercase Characters | Specify the minimum number of lowercase characters required in a password. The default for the strong security template is 1. |
Minimum Numerical Characters | Specify the minimum number of numerical characters required in a password. The default for the strong security template is 1. |
Minimum Special Characters | Specify the minimum number of special characters required in a password. The default for the strong security template is 1. |
Minimum Character Differences Between Passwords | Specify the minimum number of characters that must be changed between the old and new password. The default for the strong security template is 4. |
Maximum Consecutively Repeating Characters | Specify the maximum number of times a character can occur consecutively. |
Prevent Dictionary Words | Select to prevent the use of any word that is found in a dictionary as a password. By default, this control is enabled. |
6. Click Save to Disk to save your settings permanently.
Applying Session Management
Enable session management to limit the number of concurrent sessions on the appliance for all users regardless of role. Limiting the number of concurrent sessions adds a layer of security that helps to reduce the risk of Denial of Service (DoS) attacks.
Session management can be set for the appliance web interface and CLI access separately. Also, you can set a global limit and user-level limits. The default value (-1) is unlimited.
Concurrent session limitation is based on locally mapped users.
To enable session management and set global limits
1. Choose Administration > Security: Password Policy to display the Password Policy page.
2. Under Session Management, select Enable Session Management.
3. Enter the maximum number of concurrent sessions for all users.
To set user-level limits
1. Choose Administration > Security: User Permissions to display the User Permissions page.
2. Do one of these actions:
– Select Add New Account.
– Select a user account
3. Enter the maximum number of concurrent web interface sessions for this user or role.
4. Enter the maximum number of concurrent CLI interface sessions for this user or role.
Unlocking an account
RiOS temporarily locks out an account after a user exceeds the configured number of login attempts. Account lockout information appears on the Administration > Security: User Permissions page.
When an account is locked out, the lockout ends after:
• The configured lockout time elapses.
—or—
• The administrator unlocks the account. RiOS never locks out administrator accounts.
To unlock an account
1. Log in as an administrator (admin).
2. Choose Administration > Security: User Permissions page and click Clear Login Failure Details.
When users log in to their account successfully, RiOS resets the login failure count.
Resetting an expired password
RiOS temporarily locks out an account when its password expires. Passwords expire for one of these reasons:
• An administrator enables account control.
• The expiration time for a password elapses.
• An administrator disables a user account and then enables it.
• An administrator uses a CLI command to encrypt a password.
After a user password expires, users must update their password within the number of days specified in Days to Keep Account Active After Password Expires. The default value is 305 days. After the time elapses, RiOS locks the account permanently, preventing any further logins.
To reset the password and unlock the account
1. Log in as an administrator (admin).
2. Choose Administration > Security: User Permissions page and click Clear Login Failure Details.
3. Type and confirm the new password and click Change Password.
The password reset feature is separate from the account lockout feature.