User Account Lock
|
Choose whether or not to lock the user account after the user fails to login successfully. Specify the number of failed login
attempts that cause the account locking. You can enter any number from one (1) to 60. Default is five (5).
When you configure account locking, enter the message to be displayed to the user attempting to login. Enter text using 7-bit
ASCII characters. This message is only displayed when users enter the correct passphrase to a locked account.
When a user account gets locked, an administrator can unlock it on the Edit User page in the GUI or using the userconfig CLI command.
Failed login attempts are tracked by user, regardless of the machine the user connects from or the type of connection, such
as SSH or HTTP. Once the user successfully logs in, the number of failed login attempts is reset to zero (0).
When a user account is locked out due to reaching the maximum number of failed login attempts, an alert is sent to the administrator.
The alert is set at the “Info” severity level.
|
Passphrase Reset
|
Choose whether or not users should be forced to change their passphrases after an administrator changes their passphrases.
You can also choose whether or not users should be forced to change their passphrases after they expire. Enter the number of days a passphrase can last before users must change it. You can enter any number from one (1) to 366. Default is 90. To force users to change
their passphrases at non-scheduled times, see Requiring Users to Change Passphrase on Demand.
When you force users to change their passphrases after they expire, you can display a notification about the upcoming passphrase expiration. Choose the number of days before expiration to notify users.
Note
|
When a user account uses SSH keys instead of a passphrase challenge, the Passphrase Reset rules still apply. When a user account with SSH keys expires, the user must enter their old passphrase or ask an administrator to manually change the passphrase to change the keys associated with the account.
|
|
Passphrase Rules:
Require at least <number> characters.
|
Enter the minimum number of characters that passphrases may contain.
Enter any number between one (1) and 128.
The default is 8.
Passphrases can have more characters than the number you specify here.
|
Passphrase Rules:
Require at least one number (0-9).
|
Choose whether or not the passphrases must contain at least one number.
|
Passphrase Rules:
Require at least one special character.
|
Choose whether or not the passphrases must contain at least one special character. Passphrases may contain the following special characters:
~ ? ! @ # $ % ^ & * - _ + =
\ | / [ ] ( ) < > { } ` ' " ; : , .
|
Passphrase Rules:
Ban usernames and their variations as passphrases.
|
Choose whether or not the passphrase are allowed to be the same as the associated user name or variations on the user name. When user name variations are banned,
the following rules apply to passphrases:
-
The passphrase may not be the same as the user name, regardless of case.
-
The passphrase may not be the same as the user name in reverse, regardless of case.
-
The passphrase may not be the same as the user name or reversed user name with the following character substitutions:
-
"@" or "4" for "a"
-
"3" for "e"
-
"|", "!", or "1" for "i"
-
"0" for "o"
-
"$" or "5" for "s"
-
"+" or "7" for "t"
|
Passphrase Rules:
Ban reuse of the last <number> passphrases.
|
Choose whether or not users are allowed to choose a recently used passphrase when they are forced to change the passphrase. If they are not allowed to reuse recent passphrases, enter the number of recent passphrase that are banned from reuse.
You can enter any number from one (1) to 15. Default is three (3).
|
Passphrases Rules:
List of words to disallow in passphrases
|
You can create a list of words to disallow in passphrases.
Make this file a text file with each forbidden word on a separate line. Save the file with the name forbidden_passphrase_words.txt and use SCP or FTP to upload the file to the appliance.
If this restriction is selected but no word list is uploaded, this restriction is ignored.
|
Passphrase Strength
|
You can display a passphrase-strength indicator when an admin or user enters a new passphrase.
This setting does not enforce creation of strong passphrases, it merely shows how easy it is to guess the entered passphrase.
Select the roles for which you wish to display the indicator. Then, for each selected role, enter a number greater than zero.
A larger number means that a passphrase that registers as strong is more difficult to achieve. This setting has no maximum value.
Examples:
-
If you enter 30 , then an 8 character passphrase with at least one upper- and lower-case letter, number, and special character will register as a strong passphrase.
-
If you enter 18 , then an 8 character passphrase with all lower case letters and no numbers or special characters will register as strong.
Passphrase strength is measured on a logarithmic scale. Evaluation is based on the U.S. National Institute of Standards and Technology
rules of entropy as defined in NIST SP 800-63, Appendix A.
Generally, stronger passphrases:
-
Are longer
-
Include upper case, lower case, numeric, and special characters
-
Do not include words in any dictionary in any language.
To enforce passphrases with these characteristics, use the other settings on this page.
|
Passphrase Rule
|
A new passphrase rule is added in your Email and Web Manager to define your login passphrase:
Avoid usage of passphrases that contain three or more repetitive or sequential characters, (for example, ‘AAA@124,’ ‘Abc@123,’
and so on.)
|
Passphrase Rule
|
A new passphrase rule is added to your Email and Web Manager to define your login passphrase:
Avoid usage of username substrings in your passphrase. Three or more characters from username along with numeric and special
characters are not allowed.
|