Customizing complexity options for the local user password policy
The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.
config user password-policy edit <name> set minimum-length <integer> set min-lower-case-letter <integer> set min-upper-case-letter <integer> set min-non-alphanumeric <integer> set min-number <integer> set min-change-characters <integer> set expire-status {enable | disable} set reuse-password {enable | disable} next end
minimum-length <integer> |
Set the minimum password length (8 - 128, default = 8). |
min-lower-case-letter <integer> |
Set the minimum number of lowercase characters in the password (0 - 128, default = 0). |
min-upper-case-letter <integer> |
Set the minimum number of uppercase characters in the password (0 - 128, default = 0). |
min-non-alphanumeric <integer> |
Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0). |
min-number <integer> |
Set the minimum number of numeric characters in the password (0 - 128, default = 0). |
min-change-characters <integer> |
Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides |
set expire-status {enable | disable} |
Enable/disable password expiration (default = disable). |
set reuse-password {enable | disable} |
Enable/disable password reuse (default = enable. If both |
After upgrading to 7.4.1 from 7.4.0, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status
). If the password policy password expiration is not enabled, the expire-days <integer>
option will not force users to change their password after number of specified days.
Example
The following user password policy is configured before upgrading to 7.4.1:
config user password-policy edit "1" set expire-days 1 set warn-days 1 set expired-password-renewal enable next end
To configure the user password policy options:
-
Check the user password policy settings after the upgrade:
config user password-policy edit 1 get name : 1 expire-days : 1 warn-days : 1 expired-password-renewal: enable minimum-length : 8 min-lower-case-letter: 0 min-upper-case-letter: 0 min-non-alphanumeric: 0 min-number : 0 min-change-characters: 0 expire-status : disable reuse-password : enable next end
-
Edit the user password policy settings, including enabling password expiration:
config user password-policy edit "1" set expire-days 1 set warn-days 1 set expired-password-renewal enable set min-lower-case-letter 1 set min-upper-case-letter 1 set min-non-alphanumeric 3 set min-number 3 set min-change-characters 2 set expire-status enable set reuse-password disable next end
-
Change a password for a local user.
-
In the CLI when the password meets the criteria:
config user local edit pwd-test1 set passwd CCbcset123!!! next end
-
In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):
config user local edit pwd-test1 set passwd CCbXsetp23!!! New password must conform to the password policy enforced on this user: Password must: Be a minimum length of 8 Include at least 1 lower case letter(s) (a-z) Include at least 1 upper case letter(s) (A-Z) Include at least 3 non-alphanumeric character(s) Include at least 3 number(s) (0-9) Have at least 2 unique character(s) which don't exist in the old password Not be same as last two passwords node_check_object fail! for passwd CCbXsetp23!!! value parse error before 'CCbXsetp23!!!' Command fail. Return code -49
-
In the GUI:
-
Go to User & Authentication > User Definition and edit a local user.
-
Click Change Password.
-
Enter the New Password.
-
Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.
-
Click OK.
-
-
Sample prompt when a local user needs to update their password for firewall authentication:
Sample prompt when a local user needs to update their password for SSL VPN portal access: