105Password complexity checking policyA less complicated password such as a password containing the username or repeated characters ismore likely to be cracked. For higher security, you can configure a password complexity checking policyto make sure all user passwords are relatively complicated. With such a policy configured, when a userconfigures a password, the system checks the complexity of the password. If the password iscomplexity-incompliant, the configuration will fail.You can apply the following password complexity requirements:• A password cannot contain the username or the reverse of the username. For example, if theusername is abc, a password such as abc982 or 2cba is not complex enough.• A character or number cannot be repeated three or more times consecutively. For example,password a111 is not complex enough.Password updating and expirationPassword updatingThis function allows you to set the minimum interval at which users can change their passwords. If a userlogs in to change the password but the time passed since the last change is less than this interval, thesystem denies the request. For example, if you set this interval to 48 hours, a user cannot change thepassword twice within 48 hours.The set minimum interval is not effective on a user who is prompted to change the password at the firstlogin or after its password has expired.Password expirationPassword expiration imposes a lifecycle on a user password. After the password expires, the user needsto change the password.If a user enters an expired password when logging in, the system displays an error message and promptsthe user to provide a new password and to confirm it by entering it again. The new password must bevalid, and the user must enter exactly the same password when confirming it.Telnet users, SSH users, and console users can change their own passwords. The administrator mustchange passwords for FTP users.Early notice on pending password expirationWhen a user logs in, the system checks whether the password will expire in a time equal to or less thanthe specified notification period. If so, the system notifies the user when the password will expire andprovides a choice for the user to change the password. If the user sets a new password that iscomplexity-compliant, the system records the new password and the setup time. If the user chooses not tochange the password or the user fails to change it, the system allows the user to log in using the currentpassword.Telnet users, SSH users, and console users can change their own passwords. The administrator mustchange passwords for FTP users.Login with an expired passwordYou can allow a user to log in a certain number of times within a specific period of time after thepassword expires. For example, if you set the maximum number of logins with an expired password to 3and the time period to 15 days, a user can log in three times within 15 days after the password expires.