Local Password Policy

CONFIGURE > USER MANAGEMENT > Local Password Policy

A Password Complexity policy allows network administrators to implement and enforce a password policy that meets the customers' security standards for local users (including root). This functionality enables administrators to mandate the setting of complex passwords thus making it difficult for malicious agents to succeed in password attacks.

Enabling this feature will:

  • Enforce the use of complex passwords so as to improve security.

  • Schedule expiry of passwords to enforce regular password updates.

Note:Password policy such as complexity and expiry can only be configured by an administrator. Password requirements are applied to all accounts.

Tip: Password policy may be enabled and configured via the Web GUI, rest-api and ogcli. The password policy also applies to underlying CLI tools.

Set Password Complexity Requirements

CONFIGURE > USER MANAGEMENT > Local Password Policy

Note:Some password complexity rules are required, other rules are optional. Optional rules can be selected by clicking on the relevant checkbox.

Note: Users are prevented from using the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password. This password policy applies to the WebUI, Config Shell and CLI. users configured on the system using software versions prior to 23.10 with password “default” are forced to change the user password to something other than “default” after upgrading to 23.10. This password feature update applies to configured boxes with existing users, not just factory defaulted software.

See also Password Policy Implementation Rules

To set the password complexity requirements:

  1. Navigate to CONFIGURE > USER MANAGEMENT > Local Password Policy.

  2. Click the Enforced button to implement the password complexity policy (the policy is not activated until the Apply button is clicked).

  1. Enter the information required to form the password complexity rules to comply with your company policy:

  • Password cannot be a palindrome (required)

  • Minimum length (required)

  • Must contain an upper case letter (optional)

  • Must contain a numeric character (optional)

  • Must contain a special character (non-alphanumeric eg. e.g. #,$,%)

  • Disallow user names in passwords (optional)

See Password Policy Implementation Rules

  1. Click the Apply button to activate the password complexity policy.

Set Password Expiration Interval

CONFIGURE > USER MANAGEMENT > Local Password Policy

See also Password Policy Implementation Rules

Password Expiration schedules the expiry of passwords to enforce regular password updates. When this feature is applied and a password becomes expired, an expired password prompt is displayed at log-in.

Note:The Password Expiration policy affects local passwords only and does not apply to remote authentication modes.

To set the password expiration interval:

  1. Navigate to CONFIGURE > USER MANAGEMENT > Local Password Policy.

  2. Click the Enabled button to implement the password expiration policy (the policy is not activated until the Apply button is clicked).

  3. Input a number to represent the desired number of days between mandatory password updates. The default time is 90 days and the minimum is 1 day.

  4. Click the Apply button to activate the password interval policy.

Password Policy Implementation Rules

Rule Policy
Expiry Rules The expiry time is measured in number of whole days. When the expiry period is reached users are required to update their password on their next login. The default expiry period is 90 days and the minimum is one (1) day.
If there are existing user passwords when the expiry is enabled, the expiry time will be applied from when the password was initially set by the user. If a password falls outside the new expiry period the user will be immediately prompted to change the password.
Local Password policy is only applied to local passwords and does not apply to remote authentication modes.
When local password policy is enabled it will remain in force until the feature is turned off.
If the minimum password length is modified and then the password complexity feature is disabled, the minimum length requirement is not updated.
Complexity Rules The password cannot be a palindrome (this requirement cannot be disabled except by disabling password complexity entirely).

(A palindrome is a word or other sequence of characters that reads the same backward as forward, such as madam or racecar).
The minimum length (enforced) must be at least 8 characters (this requirement cannot be disabled except by disabling password complexity entirely).

The password should contain at least one upper case alphabetic character (enabled or disabled separately).

The password must contain at least one numeric character (enabled/disabled separately).
The password should contain at least one special character (e.g. #,$,%) (enabled/disabled separately).
  The password cannot contain your user-name.
Complexity requirements will apply when a user next tries to update their password.
An administrator can force the expiry of a users password by running the ogCLI command: passwd --expire {username} to force a user to change their password.
The operations ogadduser, ogpasswd and ogsshaddsshkey have been removed. You should instead use ogCLI for these operations.