User password management

The system enforces a default system-wide user password policy for users. The default password policy includes password aging, password complexity rules, password history, and user lockout rules.

Password aging, password history, and complexity rules apply only to local users; they do not apply to LDAP users. Lockout policies apply to both local (including admin) and LDAP users.

The default policies are described below. An admin user can update these default policy settings as needed. The default policy also applies to the admin user.

Password aging

By default, a user's password expires after 365 days.

Password complexity rules

By default, passwords must consist of at least:
  • eight characters
  • two upper-case characters
  • two lower-case characters
  • one numerical character
  • one special character

Password history

By default, the system rejects the use of the last three previous passwords.

Concurrent user sessions

By default, a user can be logged in to a maximum of three concurrent active sessions.

Lockout policy

By default, a user is locked out after five failed attempts within specified period of time (the default is 5 minutes). The account used during those attempts is locked out for a preconfigured lockout period (the default is 10 minutes). After the lockout period, the account is unlocked without the intervention of an admin user.

An admin user can also configure users to be permanently locked out of their accounts after failing to login after a specified number of failed attempts. An admin user must unlock a permanently locked account.