Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Customizing complexity options for the local user password policy

Customizing complexity options for the local user password policy

The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.

config user password-policy
    edit <name>
        set minimum-length <integer>
        set min-lower-case-letter <integer>
        set min-upper-case-letter <integer>
        set min-non-alphanumeric <integer>
        set min-number <integer>
        set min-change-characters <integer>
        set expire-status {enable | disable}
        set reuse-password {enable | disable}
    next
end

minimum-length <integer>

Set the minimum password length (8 - 128, default = 8).

min-lower-case-letter <integer>

Set the minimum number of lowercase characters in the password (0 - 128, default = 0).

min-upper-case-letter <integer>

Set the minimum number of uppercase characters in the password (0 - 128, default = 0).

min-non-alphanumeric <integer>

Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0).

min-number <integer>

Set the minimum number of numeric characters in the password (0 - 128, default = 0).

min-change-characters <integer>

Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides reuse-password if both are enabled.

set expire-status {enable | disable}

Enable/disable password expiration (default = disable).

set reuse-password {enable | disable}

Enable/disable password reuse (default = enable. If both reuse-password and min-change-characters are enabled, min-change-characters overrides it.

After upgrading to 7.4.1 from 7.4.0, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status). If the password policy password expiration is not enabled, the expire-days <integer> option will not force users to change their password after number of specified days.

Example

The following user password policy is configured before upgrading to 7.4.1:

config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
    next
end
To configure the user password policy options:

  1. Check the user password policy settings after the upgrade:

    config user password-policy 
    edit 1
        get 
            name                : 1
            expire-days         : 1
            warn-days           : 1
            expired-password-renewal: enable
            minimum-length      : 8
            min-lower-case-letter: 0
            min-upper-case-letter: 0
            min-non-alphanumeric: 0
            min-number          : 0
            min-change-characters: 0
            expire-status       : disable
            reuse-password      : enable
    next
end

  2. Edit the user password policy settings, including enabling password expiration:

    config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
        set min-lower-case-letter 1
        set min-upper-case-letter 1
        set min-non-alphanumeric 3
        set min-number 3
        set min-change-characters 2
        set expire-status enable
        set reuse-password disable
    next
end

  3. Change a password for a local user.

    1. In the CLI when the password meets the criteria:

      config user local
    edit pwd-test1
        set passwd CCbcset123!!!
    next
end

    2. In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):

      config user local
    edit pwd-test1
        set passwd CCbXsetp23!!!
New password must conform to the password policy enforced on this user:
Password must:
        Be a minimum length of 8
        Include at least 1 lower case letter(s) (a-z)
        Include at least 1 upper case letter(s) (A-Z)
        Include at least 3 non-alphanumeric character(s)
        Include at least 3 number(s) (0-9)
        Have at least 2 unique character(s) which don't exist in the old password
        Not be same as last two passwords   

node_check_object fail! for passwd CCbXsetp23!!!

value parse error before 'CCbXsetp23!!!'
Command fail. Return code -49

    3. In the GUI:

      1. Go to User & Authentication > User Definition and edit a local user.

      2. Click Change Password.

      3. Enter the New Password.

      4. Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.

      5. Click OK.

Sample prompt when a local user needs to update their password for firewall authentication:

Sample prompt when a local user needs to update their password for SSL VPN portal access:

Previous
Next

Customizing complexity options for the local user password policy

The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.

config user password-policy
    edit <name>
        set minimum-length <integer>
        set min-lower-case-letter <integer>
        set min-upper-case-letter <integer>
        set min-non-alphanumeric <integer>
        set min-number <integer>
        set min-change-characters <integer>
        set expire-status {enable | disable}
        set reuse-password {enable | disable}
    next
end

minimum-length <integer>

Set the minimum password length (8 - 128, default = 8).

min-lower-case-letter <integer>

Set the minimum number of lowercase characters in the password (0 - 128, default = 0).

min-upper-case-letter <integer>

Set the minimum number of uppercase characters in the password (0 - 128, default = 0).

min-non-alphanumeric <integer>

Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0).

min-number <integer>

Set the minimum number of numeric characters in the password (0 - 128, default = 0).

min-change-characters <integer>

Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides reuse-password if both are enabled.

set expire-status {enable | disable}

Enable/disable password expiration (default = disable).

set reuse-password {enable | disable}

Enable/disable password reuse (default = enable. If both reuse-password and min-change-characters are enabled, min-change-characters overrides it.

After upgrading to 7.4.1 from 7.4.0, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status). If the password policy password expiration is not enabled, the expire-days <integer> option will not force users to change their password after number of specified days.

Example

The following user password policy is configured before upgrading to 7.4.1:

config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
    next
end
To configure the user password policy options:

  1. Check the user password policy settings after the upgrade:

    config user password-policy 
    edit 1
        get 
            name                : 1
            expire-days         : 1
            warn-days           : 1
            expired-password-renewal: enable
            minimum-length      : 8
            min-lower-case-letter: 0
            min-upper-case-letter: 0
            min-non-alphanumeric: 0
            min-number          : 0
            min-change-characters: 0
            expire-status       : disable
            reuse-password      : enable
    next
end

  2. Edit the user password policy settings, including enabling password expiration:

    config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
        set min-lower-case-letter 1
        set min-upper-case-letter 1
        set min-non-alphanumeric 3
        set min-number 3
        set min-change-characters 2
        set expire-status enable
        set reuse-password disable
    next
end

  3. Change a password for a local user.

    1. In the CLI when the password meets the criteria:

      config user local
    edit pwd-test1
        set passwd CCbcset123!!!
    next
end

    2. In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):

      config user local
    edit pwd-test1
        set passwd CCbXsetp23!!!
New password must conform to the password policy enforced on this user:
Password must:
        Be a minimum length of 8
        Include at least 1 lower case letter(s) (a-z)
        Include at least 1 upper case letter(s) (A-Z)
        Include at least 3 non-alphanumeric character(s)
        Include at least 3 number(s) (0-9)
        Have at least 2 unique character(s) which don't exist in the old password
        Not be same as last two passwords   

node_check_object fail! for passwd CCbXsetp23!!!

value parse error before 'CCbXsetp23!!!'
Command fail. Return code -49

    3. In the GUI:

      1. Go to User & Authentication > User Definition and edit a local user.

      2. Click Change Password.

      3. Enter the New Password.

      4. Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.

      5. Click OK.

Sample prompt when a local user needs to update their password for firewall authentication:

Sample prompt when a local user needs to update their password for SSL VPN portal access:

Previous
Next