Fortinet white logo
Fortinet white logo

Administration Guide

Password policy

Password policy

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example: passw0rd.
  • Administrator passwords can be up to 64 characters.
  • Include a mixture of numbers, symbols, and upper and lower case letters.
  • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.
  • Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password. for example, do not change from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy, including:

  • The minimum length, between 8 and 64 characters.
  • If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
  • If the password must contain numbers (1, 2, 3).
  • If the password must contain special or non-alphanumeric characters: !, @, #, $, %, ^, &, *, (, and )
  • Where the password applies (admin or IPsec or both).
  • The duration of the password before a new one must be specified.
  • The minimum number of unique characters that a new password must include.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

For information about setting passwords, see Default administrator password.

To create a system password policy the GUI:
  1. Go to System > Settings.
  2. In the Password Policy section, change the Password scope to Admin, IPsec, or Both.
  3. Configure the password policy options.

  4. Click Apply.
To create a system password policy the CLI:
config system password-policy
    set status {enable | disable}
    set apply-to {admin-password | ipsec-preshared-key}
    set minimum-length <8-128>
    set min-lower-case-letter <0-128>
    set min-upper-case-letter <0-128>
    set min-non-alphanumeric <0-128>
    set min-number <0-128>
    set min-change-characters <0-128>
    set expire-status {enable | disable}
    set expire-day <1-999>
    set reuse-password {enable | disable}
end

Password policy

Password policy

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example: passw0rd.
  • Administrator passwords can be up to 64 characters.
  • Include a mixture of numbers, symbols, and upper and lower case letters.
  • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.
  • Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password. for example, do not change from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy, including:

  • The minimum length, between 8 and 64 characters.
  • If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
  • If the password must contain numbers (1, 2, 3).
  • If the password must contain special or non-alphanumeric characters: !, @, #, $, %, ^, &, *, (, and )
  • Where the password applies (admin or IPsec or both).
  • The duration of the password before a new one must be specified.
  • The minimum number of unique characters that a new password must include.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

For information about setting passwords, see Default administrator password.

To create a system password policy the GUI:
  1. Go to System > Settings.
  2. In the Password Policy section, change the Password scope to Admin, IPsec, or Both.
  3. Configure the password policy options.

  4. Click Apply.
To create a system password policy the CLI:
config system password-policy
    set status {enable | disable}
    set apply-to {admin-password | ipsec-preshared-key}
    set minimum-length <8-128>
    set min-lower-case-letter <0-128>
    set min-upper-case-letter <0-128>
    set min-non-alphanumeric <0-128>
    set min-number <0-128>
    set min-change-characters <0-128>
    set expire-status {enable | disable}
    set expire-day <1-999>
    set reuse-password {enable | disable}
end