Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup and NetBackup Appliances Hardening Guide
  3. Steps to protect Access Appliance
  4. Managing the password policy using the UI
  5. Managing the password policy from the command-line interface
NetBackup and NetBackup Appliances Hardening Guide

Managing the password policy from the command-line interface

You can customize the password policies by setting rules for the passwords that are used by the Access Appliance local users. You can set rules for password complexity, password age, and password lockout. Password complexity specifies the number and type of characters a password must include. Password age defines the duration for which the password is valid. Password lockout specifies the number of failed attempts because of incorrect usage of passwords after which a user is prevented from logging in to the account.

Commands to view and set the password policy

To view the password policy, use the following command:

system password-policy get

To set the password policy, use the following command:

system password-policy set minlen ucredit maxclassrepeat dcredit ocredit minclass lcredit maxrepeatdifok pass_min_days pass_max_days pass_warn_age remember deny unlock_time fail_interval

where

Table:

Parameter

Description

minlen

Minimum characters. Range is 6 - 100.

ucredit

Minimum upper case characters. Range is 1 - 100 .

maxclassrepeat

Maximum repetitive characters of same class. Range is 1 - 100.

dcredit

Minimum numbers. Range is 1 - 100.

ocredit

Minimum special characters. Range is 1 - 100.

minclass

Minimum character classes. Range is 1 - 4.

lcredit

Minimum lower case characters. Range is 1 - 100.

maxrepeat

Maximum repetitive characters. Range is 1 - 100.

difok

Character difference with old password. Range is 1 - 100.

pass_min_days

Days after which password can be changed. Range is 1 - 100.

pass_max_days

Days after which password must be changed. Range is 1 - 100.

pass_warn_age

Days before warning message Range is 1 - 100.

remember

Minimum different password before allowing reuse. Range is 1 - 100.

deny

Number of incorrect login attempts before lockout. Range is 1 - 100.

From version 8.2, when you enable STIG or set the password policy, the SSH session is terminated each time you enter an incorrect password. You must open a new SSH session to log on. Previously, the SSH session was terminated only after the total number of failed attempts was reached.

unlock_time

Time before locked account is reenabled(seconds). Range is 1 - 604800.

fail_interval

Time before login failures before account locked out (seconds). Range is 1 - 3600.

To display the current password policy:

  1. Log on to the Access command-line interface by opening an SSH session to the management console IP as an administrator.
  2. In the Access command-line interface, run the following command:

    system password-policy get

    access-clus> system password-policy get
    Password policy setup on the system...
    Password complexity:
    ===================
    Minimum characters:                                             8
    Minimum upper case characters:                                  1
    Maximum repetitive characters of the same class:                -
    Minimum numbers:                                                1
    Minimum special characters:                                     1
    Minimum character classes:                                      -
    Minimum lower case characters:                                  1
    Maximum repetitive characters:                                  -
    Character difference with old password:                         -
    Password age:
    ============
    Days after which password can be changed:                       -
    Days after which password must be changed:                      -
    Days before warning message:                                    -
    Minimum different password before allowing reuse:               -
    Password lockout:
    ================
    Number of incorrect login attempts before lockout:              -
    Time before locked account is reenabled(seconds):               -
    Time before login failures before account locked out(seconds):  -
    

    Note:

    Initially, the default set rules are displayed.

To set the password policy:

  1. Log on to the Access command-line interface by opening an SSH session to the management console IP as an administrator.
  2. In the Access command-line interface, run the following command:

    system password-policy set

    For example:

    access-clus> system password-policy set minlen=8 ucredit=1 maxclassrepeat=4 dcredit=1 ocredit=1 minclass=4 lcredit=1 maxrepeat=2 difok=8 pass_min_days=1 pass_max_days=60 pass_warn_age=7 remember=7 deny=3 unlock_time=300 fail_interval=900
    Access Appliance password-policy SUCCESS V-493-10-0 Password policy updated successfully.
    
    

    The newly set policy can be displayed using the system password-policy get command:

    access-clus> system password-policy get
    Password policy setup on the system...
    Password complexity:
    ===================
    Minimum characters:                                             8
    Minimum upper case characters:                                  1
    Maximum repetitive characters of the same class:                4
    Minimum numbers:                                                1
    Minimum special characters:                                     1
    Minimum character classes:                                      4
    Minimum lower case characters:                                  1
    Maximum repetitive characters:                                  2
    Character difference with old password:                         8
    Password age:
    ============
    Days after which password can be changed:                       1
    Days after which password must be changed:                      60
    Days before warning message:                                    7
    Minimum different password before allowing reuse:               7
    Password lockout:
    ================
    Number of incorrect login attempts before lockout:              3
    Time before locked account is reenabled(seconds):               300
    Time before login failures before account locked out(seconds):  900
    

    Note:

    If STIG is enabled on the system, you cannot change the custom password-policy rules.

    accessclus> system password-rules set maxrepeat=3 maxclassrepeat=vxdefault dcredit=vxdefault minlen=15 ucredit=vxdefault ocredit=vxdefault lcredit=vxdefault difok=vxdefault minclass=5 pass_min_days=vxdefault pass_max_days=vxdefault pass_warn_age=vxdefault deny=3 unlock_time=vxdefault fail_interval=vxdefault remember=vxdefault
    ACCESS PasswordRules ERROR V-493-10-0 The password rules cannot be set as the cluster is STIG enabled.
    
    

    Note:

    Setting the parameter to vxdefault is equivalent to setting the value to no or None.

Feedback

Was this page helpful?
Previous

Managing the password policy using the UI

Next

Support for immutability in Access Appliance

Feedback

Was this page helpful?