1. Admin Security Guide
  2. Access
  3. Password Policy

Password Policy

The Admin Security feature set supports the creation of password policies that enhance the authentication process by imposing requirements for:

  • password length
  • password strength
  • password history and re-use
  • password expiration and grace period

The Admin Security feature set mandates the following password length/strength requirements.

  • user class passwords must contain at least 9 characters (Admin Security only)
  • admin class passwords must contain at least 15 characters
  • passwords must contain at least 2 lower case alphabetic characters
  • passwords must contain at least 2 upper case alphabetic characters
  • passwords must contain at least 2 numeric characters
  • passwords must contain at least 2 special characters (such as !, ", #, $, %, &, ' , (, ), *, +, , , -, ., /, :, ;, <, =, >, ?, @, [, \, ], ^, _, `, {, |, }, ~)
  • passwords must differ from the prior password by at least 4 characters
  • characters in password must differ from the prior password in at least 8 positions
  • passwords cannot contain, repeat, or reverse the entire username
  • passwords cannot contain three consecutive identical characters

Some specific password policy properties, specifically those regarding password lifetime and expiration procedures, are also applicable to SSH public keys used to authenticate clients.

Configuring Password Policy Properties

The single instance password-policy configuration element defines the password policy.

  1. From superuser mode, use the following command path to access password-policy configuration mode. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# password-policy
ORACLE(password-policy)#

    The password-policy configuration element properties (with the introduction of the Admin Security or JITC feature) are shown below with their default values. 

    min-secure-pwd-length       8 
expiry-interval             90 
expiry-notify-period        30 
grace-period                30 
grace-logins                3 
password-history-count      3 
password-change-interval    24
  2. Use the expiry-interval command to specify the password lifetime in days. Password lifetime tracking begins when a password is changed.
    Allowable values are integers within the range 0 through 65535, with a default value of 90 (days).

    Note:

    The minimum expiry-interval is 0 with a provisioned JITC feature only and remains 1 when only an Admin Security feature is provisioned. 
    ORACLE(password-policy)# expiry-interval 60
ORACLE(password-policy)#
  3. Use the password-change-interval command to specify the minimum password lifetime (the minimum time that must elapse between password changes.)

    Allowable values are integers within the range 1 through 24, with a default value of 24 (hours). 

    ORACLE(password-policy)# password-change-interval 18
ORACLE(password-policy)#
  4. Use the expiry-notify-period to specify the number of days prior to expiration that users begin to receive password expiration notifications.

    Allowable values are integers within the range 1 through 90, with a default value of 30 (days).

    During the notification period, users are reminded of impending password expiration at both Session Director login and logout. 

    ORACLE(password-policy)# expiry-notify-period 10
ORACLE(password-policy)#
  5. Use the grace-period command in conjunction with the grace-logins command, to police user access after password expiration.

    After password expiration, users are granted some number of logins (specified by the grace-logins command) for some number of days (specified by the grace-period command). Once the number of logins has been exceeded, or once the grace period has expired, the user is forced to change his or her password.

    Allowable values for grace-period are integers within the range 1 through 90, with a default value of 30 (days).

    Allowable values for grace-logins are integers within the range 1 through 10, with a default value of 3 (logins). 

    ORACLE(password-policy)# grace-period 1
ORACLE(password-policy)# grace-logins 1
ORACLE(password-policy)#
  6. Use the password-history-count command to specify the number of previously used passwords retained in encrypted format in the password history cache.
    Allowable values are integers within the range 1 through 24, with a default value of 3 (retained passwords).

    Note:

    The maximum password-history-count is 24 with a provisioned JITC feature only and remains 10 when only an Admin Security feature is provisioned.

    By default, a user’s three most recently expired passwords are retained in the password history. As the user’s current password is changed, that password is added to the history, replacing the oldest password entry.

    New, proposed passwords are evaluated against the contents of the password cache, to prevent password re-use, and guard against minimal password changes. 

    ORACLE(password-policy)# password-history-count 10
ORACLE(password-policy)#
  7. Use done, exit and verify-config to complete password policy.

Configuring the Administrative Security with ACP Password Rules

To enforce the stronger password rules and restrictions that the Administrative Security ACP license it provides, you must enable the password-policy-strength parameter.

  • Confirm that the Administrative Security ACP license is installed on the system.
  • You must have Superuser permissions.
From the command line, go to the password-policy configuration element and set the password-policy-strength parameter to enabled.

Note:

The password-policy configuration element displays the min-secure-pwd-len command. You do not need to configure the min-secure-pwd-len command because the Administrative Security ACP license overrides this command with a stronger rule.

You can configure any of the other password policy settings without a system override, according to the ranges specified in this procedure. For more information about the ranges, see "Administrative Security ACP License Configuration."

  1. Access the password-policy configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# password-policy
ORACLE(password-policy)#
  2. Type select, and press ENTER.
  3. Type show, and press ENTER.
  4. Configure the following password policy settings, as needed:
    • expiry-interval. 1-65535 days.
    • expiry-notify-period. 1-90 days.
    • grace-period. 1-90 days.
    • grace-logins. 1-10 attempts.
    • password-history-count. 1-10 passwords.
    • password-change-interval. 1-24 hours.
    • password-policy-strength. Type enabled, and press ENTER.
  5. Do the following:
    1. Type done, and press ENTER.
    2. Type exit, and press ENTER.
    3. Type done, and press ENTER.

Changing a Password

As shown in the following figures, the password-policy configuration element provides prior notice of impending password expiration via the login banner display, and with additional notices when ending a login session.

This screenshot of the CLI shows the notice the SBC displays to alert users about an impending password expiration. The SBC provides an additional notice when ending a log session.

Password Expiration Notices at Login and Logout

After password expiration, additional notices are displayed with each grace login. If all notices are ignored, the password-policy enforces a password change when grace logins have been exhausted, or when the grace period has elapsed.

This screenshot of the CLI shows the notice the OCSBC displays to either alert users how many grace logins they have left.

Changing Password Process

To change your password in response to (1) an impending expiration notice displayed within the login banner or at system logout, (2) a grace login notice, or (3) an expiration notice:

  1. If responding to an impending expiration notice, or a grace login notice, type y at the Do you want to change the password ... prompt.
  2. Provide a new, valid password in response to the Enter New Password: prompt.
  3. Re-enter the password in response to the Confirm New Password: prompt.
  4. If performing a login, enter y to acknowledge reading the login banner to complete login with the new password.

    A user class account can change its password only in response to one of the three notifications described above.

    Similarly, an admin class account can change the password in response to the same notifications. Additionally, these accounts can change passwords using the ACLI as described in the following sections.

Changing the user Password

Change the password of the default factory user account from an admin class account.

  1. Enter secret login at the prompt and provide the current password when challenged. 
    ORACLE# secret login
Enter current password :
  2. Type the new password. 
    ORACLE# secret login
Enter current password :
Enter new password :
  3. Confirm the password. 
    ORACLE# secret login
Enter current password :
Enter new password :
Enter password again :
ORACLE#

Changing the admin Password

Change the password of the default factory admin account from an admin class account.

  1. Enter secret enable at the prompt and provide the current password when challenged. 
    ORACLE# secret enable
Enter current password :
  2. Type the new password. 
    ORACLE# secret enable
Enter current password :
Enter new password :
  3. Confirm the password. 
    ORACLE# secret enable
Enter current password :
Enter new password :
Enter password again :
ORACLE#

Changing a Local Account Password

To change the password of a local account, you must be in admin mode.
  1. Log in to an admin-class local account or the factory admin account.
  2. Use the local-accounts command to change the password.
    The syntax:
    local-accounts change-password <username>
    Enter the user's existing password first and then the new password. For example:
    ORACLE# local-accounts change-password bob
Enter Existing Password: 
Enter New Password: 

Password is acceptable.

Enter Password Again: 
Request to 'SAVE-CONFIG' has Finished, 
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.

Please wait...

Request to 'ACTIVATE-CONFIG' has Finished, 
Activate Complete

-- Password updated. ----------------------------
ORACLE#
    After the password is accepted, the system automatically runs activate-config to update the password.
  3. If you do not know the current password for that user, use the local-accounts reset command to create a temporary, one-time password for that user. 
    ORACLE# local-accounts reset bob  
This command will reset the current password for account {bob}
Then prompt for a new single-use temporary password
Are you sure you want to proceed [y/n]?: y
Enter Temporary Password: 

Password is acceptable.

Enter Password Again: 
Request to 'SAVE-CONFIG' has Finished, 
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.

Please wait...

Request to 'ACTIVATE-CONFIG' has Finished, 
Activate Complete

-- Password updated. ----------------------------
ORACLE#

    A user whose password has been reset must create a new password after logging in.

    $ ssh bob@10.0.0.1
Password: 

Your password has expired
You must change your password to continue 
Enter New Password: 

Password is acceptable.

Enter Password Again: 
Request to 'SAVE-CONFIG' has Finished, 
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.

Please wait...

Request to 'ACTIVATE-CONFIG' has Finished, 
Activate Complete

-- Password updated. ----------------------------
ORACLE>

    For more information about managing local accounts, see "Manage Local Accounts" in the Configuration Guide.

RADIUS and TACACS+ Passwords

With RADIUS or TACACS+ enabled, passwords are stored and controlled on the remote server or servers. Consequently, none of the length/strength, re-use, history, or expiration requirements mandated by the password policy are applicable to these passwords.