| Command | Purpose |
Step 1 | password-policy lifetime days ciscoasa(config)# password-policy lifetime 180 | (Optional) Sets the interval in days after which passwords expire for remote users (SSH, Telnet, HTTP); users at the console port are never locked out due to password expiration. Valid values are between 0 and 65536 days. The default value is 0 days, a value indicating that passwords will never expire. 7 days before the password expires, a warning message appears. After the password expires, system access is denied to remote users. To gain access after expiration, do one of the following:
- Have another administrator change your password with the username command.
- Log in to the physical console port to change your password.
|
Step 2 | password-policy minimum-changes value ciscoasa(config)# password-policy minimum-changes 2 | (Optional) Sets the minimum number of characters that you must change between new and old passwords. Valid values are between 0 and 64 characters. The default value is 0. Character matching is position independent, meaning that new password characters are considered changed only if they do not appear anywhere in the current password. |
Step 3 | password-policy minimum-length value ciscoasa(config)# password-policy minimum-length 8 | (Optional) Sets the minimum length of passwords. Valid values are between 3 and 64 characters. We recommend a minimum password length of 8 characters. |
Step 4 | password-policy minimum-uppercase value ciscoasa(config)# password-policy minimum-uppercase 3 | (Optional) Sets the minimum number of upper case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 5 | password-policy minimum-lowercase value ciscoasa(config)# password-policy minimum-lowercase 6 | (Optional) Sets the minimum number of lower case characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 6 | password-policy minimum-numeric value ciscoasa(config)# password-policy minimum-numeric 1 | (Optional) Sets the minimum number of numeric characters that passwords must have. Valid values are between 0 and 64 characters. The default value is 0, which means there is no minimum. |
Step 7 | password-policy minimum-special value ciscoasa(config)# password-policy minimum-special 2 | (Optional) Sets the minimum number of special characters that passwords must have. Valid values are between 0 and 64 characters. Special characters include the following: !, @, #, $, %, ^, &, *, '(‘ and ‘)’. The default value is 0, which means there is no minimum. |
Step 8 | password-policy authenticate enable ciscoasa(config)# password-policy authenticate enable | (Optional) Sets whether users must change their password using the change-password command, instead of letting users change their password with the username command. The default setting is disabled: a user can use either method to change their password. If you enable this feature, if you try to change your password with the username command, the following error message appears: ERROR: Changing your own password is prohibited You also cannot delete your own account with the clear configure username command. If you try, the following error message appears: ERROR: You cannot delete all usernames because you are not allowed to delete yourself |
