Fortinet white logo
Fortinet white logo

Administration Guide

Customizing complexity options for the local user password policy

Customizing complexity options for the local user password policy

The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.

config user password-policy
    edit <name>
        set minimum-length <integer>
        set min-lower-case-letter <integer>
        set min-upper-case-letter <integer>
        set min-non-alphanumeric <integer>
        set min-number <integer>
        set min-change-characters <integer>
        set expire-status {enable | disable}
        set reuse-password {enable | disable}
    next
end

minimum-length <integer>

Set the minimum password length (8 - 128, default = 8).

min-lower-case-letter <integer>

Set the minimum number of lowercase characters in the password (0 - 128, default = 0).

min-upper-case-letter <integer>

Set the minimum number of uppercase characters in the password (0 - 128, default = 0).

min-non-alphanumeric <integer>

Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0).

min-number <integer>

Set the minimum number of numeric characters in the password (0 - 128, default = 0).

min-change-characters <integer>

Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides reuse-password if both are enabled.

set expire-status {enable | disable}

Enable/disable password expiration (default = disable).

set reuse-password {enable | disable}

Enable/disable password reuse (default = enable. If both reuse-password and min-change-characters are enabled, min-change-characters overrides it.

After upgrading to 7.4.1 from 7.4.0, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status). If the password policy password expiration is not enabled, the expire-days <integer> option will not force users to change their password after number of specified days.

Example

The following user password policy is configured before upgrading to 7.4.1:

config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
    next
end
To configure the user password policy options:
  1. Check the user password policy settings after the upgrade:

    config user password-policy 
        edit 1
            get 
                name                : 1
                expire-days         : 1
                warn-days           : 1
                expired-password-renewal: enable
                minimum-length      : 8
                min-lower-case-letter: 0
                min-upper-case-letter: 0
                min-non-alphanumeric: 0
                min-number          : 0
                min-change-characters: 0
                expire-status       : disable
                reuse-password      : enable
        next
    end
  2. Edit the user password policy settings, including enabling password expiration:

    config user password-policy
        edit "1"
            set expire-days 1
            set warn-days 1
            set expired-password-renewal enable
            set min-lower-case-letter 1
            set min-upper-case-letter 1
            set min-non-alphanumeric 3
            set min-number 3
            set min-change-characters 2
            set expire-status enable
            set reuse-password disable
        next
    end
  3. Change a password for a local user.

    1. In the CLI when the password meets the criteria:

      config user local
          edit pwd-test1
              set passwd CCbcset123!!!
          next
      end
    2. In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):

      config user local
          edit pwd-test1
              set passwd CCbXsetp23!!!
      New password must conform to the password policy enforced on this user:
      Password must:
              Be a minimum length of 8
              Include at least 1 lower case letter(s) (a-z)
              Include at least 1 upper case letter(s) (A-Z)
              Include at least 3 non-alphanumeric character(s)
              Include at least 3 number(s) (0-9)
              Have at least 2 unique character(s) which don't exist in the old password
              Not be same as last two passwords   
      
      node_check_object fail! for passwd CCbXsetp23!!!
      
      value parse error before 'CCbXsetp23!!!'
      Command fail. Return code -49
    3. In the GUI:

      1. Go to User & Authentication > User Definition and edit a local user.

      2. Click Change Password.

      3. Enter the New Password.

      4. Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.

      5. Click OK.

Sample prompt when a local user needs to update their password for firewall authentication:

Sample prompt when a local user needs to update their password for SSL VPN portal access:

Customizing complexity options for the local user password policy

Customizing complexity options for the local user password policy

The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.

config user password-policy
    edit <name>
        set minimum-length <integer>
        set min-lower-case-letter <integer>
        set min-upper-case-letter <integer>
        set min-non-alphanumeric <integer>
        set min-number <integer>
        set min-change-characters <integer>
        set expire-status {enable | disable}
        set reuse-password {enable | disable}
    next
end

minimum-length <integer>

Set the minimum password length (8 - 128, default = 8).

min-lower-case-letter <integer>

Set the minimum number of lowercase characters in the password (0 - 128, default = 0).

min-upper-case-letter <integer>

Set the minimum number of uppercase characters in the password (0 - 128, default = 0).

min-non-alphanumeric <integer>

Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0).

min-number <integer>

Set the minimum number of numeric characters in the password (0 - 128, default = 0).

min-change-characters <integer>

Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides reuse-password if both are enabled.

set expire-status {enable | disable}

Enable/disable password expiration (default = disable).

set reuse-password {enable | disable}

Enable/disable password reuse (default = enable. If both reuse-password and min-change-characters are enabled, min-change-characters overrides it.

After upgrading to 7.4.1 from 7.4.0, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status). If the password policy password expiration is not enabled, the expire-days <integer> option will not force users to change their password after number of specified days.

Example

The following user password policy is configured before upgrading to 7.4.1:

config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
    next
end
To configure the user password policy options:
  1. Check the user password policy settings after the upgrade:

    config user password-policy 
        edit 1
            get 
                name                : 1
                expire-days         : 1
                warn-days           : 1
                expired-password-renewal: enable
                minimum-length      : 8
                min-lower-case-letter: 0
                min-upper-case-letter: 0
                min-non-alphanumeric: 0
                min-number          : 0
                min-change-characters: 0
                expire-status       : disable
                reuse-password      : enable
        next
    end
  2. Edit the user password policy settings, including enabling password expiration:

    config user password-policy
        edit "1"
            set expire-days 1
            set warn-days 1
            set expired-password-renewal enable
            set min-lower-case-letter 1
            set min-upper-case-letter 1
            set min-non-alphanumeric 3
            set min-number 3
            set min-change-characters 2
            set expire-status enable
            set reuse-password disable
        next
    end
  3. Change a password for a local user.

    1. In the CLI when the password meets the criteria:

      config user local
          edit pwd-test1
              set passwd CCbcset123!!!
          next
      end
    2. In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):

      config user local
          edit pwd-test1
              set passwd CCbXsetp23!!!
      New password must conform to the password policy enforced on this user:
      Password must:
              Be a minimum length of 8
              Include at least 1 lower case letter(s) (a-z)
              Include at least 1 upper case letter(s) (A-Z)
              Include at least 3 non-alphanumeric character(s)
              Include at least 3 number(s) (0-9)
              Have at least 2 unique character(s) which don't exist in the old password
              Not be same as last two passwords   
      
      node_check_object fail! for passwd CCbXsetp23!!!
      
      value parse error before 'CCbXsetp23!!!'
      Command fail. Return code -49
    3. In the GUI:

      1. Go to User & Authentication > User Definition and edit a local user.

      2. Click Change Password.

      3. Enter the New Password.

      4. Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.

      5. Click OK.

Sample prompt when a local user needs to update their password for firewall authentication:

Sample prompt when a local user needs to update their password for SSL VPN portal access: