set password-complexity [<complexity-name> <complexity-value>]

Configure password complexity requirements.

Minimum password length: minimum number of characters expected in password; user can not set their password of length lesser than this parameter. Default: 12, Minimum: 8, Maximum: 128

Maximum password length: maximum number of characters allowed in password; user can not set their password of length greater than this parameter. Default: 128, Minimum: 8, Maximum: 128

Lower characters: number of lower case characters (a..z) expected in user password.
N < 0, to set minimum credit for having lower case character in the new password, i.e. this is the minimum number of lower case character that must be met for a new password.

N > 0, to set maximum credit for having lower case character in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N lower case characters.

N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128

Upper characters: number of upper case characters (A..Z) expected in user password.
N < 0, to set minimum credit for having upper case character in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password.

N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N upper case characters.

N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128

Numeric characters: number of digits (0..9) expected in user password.
N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password.

N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N digits.

N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128

Special characters: number of special characters (!@#$&*..) expected in user password.
N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password.

N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N special case characters..

N = 0, to disable the policy check.
Default: -1, Minimum: -128, Maximum: 128

Minimum unique characters: number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

Allowed similar consecutives: reject passwords which contain more than N same consecutive characters. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

Allowed monotonic sequence: reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

Hash algorithm: sets hash/cryptographic algorithm type for new passwords. Default: sha512. Enum: [ sha512, sha256 ]

Password remembrance: limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0. Default: 0, Minimum: 0

Understanding PAM's maximum credit values with an example, consider password complexity configured as follows:

Minimum password length: 12
Lower case characters: -1
Upper case characters: 2
Digits: -1
Special case characters: -1

above values represent a password to be atleast of length 12 (or credits) which should consist atleast 1 lower case character, atleast 1 digit, atleast 1 special case character and any number of upper case characters.
If included, for first 2 upper case characters additional credit of +2 will be secured.
Which signifies password having 1 upper case character with additional 10 or more characters of required complexity will be allowed to set where total password length would be 11 or more,
password having 2 upper case characters with additional 8 or more characters of required complexity will be allowed to set where total password length would be 10 or more,
whereas password with 3 upper case characters shall still require 7 or more characters with above minimum value requirements, as there's only maximum credit of 2 configured for upper case characters.

Few valid passwords with respect to configured example complexity requirements:

hivmware@123 - consists of required minimum 1 - lower case character, special case character, digit and overall length is 12
Hivmware@12 - consists of required minimum 1 - lower case character, special case character, digit; whereas length is 11 but inclusion of 1 upper case character attributes an extra +1 credit, hence password is valid
HiVmware@1 - consists of required minimum 1 - lower case character, special case character, digit; whereas length is 10 but inclusion of 2 upper case characters attributes an extra +2 credit, hence password is valid

whereas following passwords will be invalid:

hivmware@12 - required length of 12 is not fulfilled
hivmware1234 - required minimum 1 special case character is not fulfilled
HiVMwar@1 - there are 3 upper case characters out which only maximum 2 characters will be considered for extra credit, third occurrence of upper case character will be attributed as 1 credit only, hence the overall credit score 11 does not fulfills complexity

Note, passwords less than 8 characters are never allowed.

Example:

nsx> set password-complexity nsx>

Mode:

Basic

set password-complexity [<complexity-name> <complexity-value>]

Example:

Mode:

Availability: