Password policy
Password authentication is effective only if the password is sufficiently strong and is changed periodically. By default, the FortiGate unit requires only that passwords be at least eight characters in length, but up to 128 characters is permitted. You can set a password policy to enforce higher standards for both length and complexity of passwords. Password policies can apply to administrator passwords or IPsec VPN pre-shared keys.
To set a password policy in the web-based manager, go to System > Settings. In the CLI, use the config system password-policy command.
Users usually create passwords composed of alphabetic characters and perhaps some numbers. Password policy can require the inclusion of uppercase letters, lowercase letters, numerals or punctuation characters.
Configuring password minimum requirement policy
Best practices dictate that passwords include:
l one or more uppercase characters l one or more lower case characters l one or more of the numerals l one or more special characters.
The minimum number of each of these types of characters can be set in both the web-based manager and the CLI.
The following procedures show how to force administrator passwords to contain at least two uppercase, four lower care, two digits, and one special character. Leave the minimum length at the default of eight characters.
To change administrator password minimum requirements – web-based manager:
- Go to System > Settings.
- Select Enable Password Policy.
- Select Must Contain at Least.
- Enter the following information:
Upper Case Letters | 2 |
Lower Case Letters | 4 |
Numbers | 2 |
Special Characters | 1 |
- Under Apply Password Policy to, select Administrator Password.
- Select Apply.
To change administrator password minimum requirements – CLI:
config system password-policy
Password policy
set status enable set apply-to admin-password set min-upper-case-letter 2 set min-lower-case-letter 4 set min-number 2 set min-non-alphanumeric 1 set change-4-characters enable
end
The change-4-characters option forces new passwords to change a minimum of four characters in the old password. Changing fewer characters results in the new password being rejected. This option is only available in the CLI.
To configure a guest administrator password policy – CLI:
As of FortiOS 5.4, a password policy can also be created for guest administrators. The following command shows all possible commands, which are also available under config system password-policy.
config system password-policy set status {enable | disable} Enable/disable password policy. set apply-to {guest-admin-password} Guest admin to which this password policy applies. set minimum-length <8-128> Minimum password length. set min-lower-case-letter <0-128> Min. lowercase characters in password. set min-upper-case-letter <0-128> Min. uppercase characters in password. set min-non-alphanumeric <0-128> Min. non-alphanumeric characters in password. set min-number <0-128> Min. numeric characters in password.
set change-4-characters {enable | disable} Enable/disable changing at least 4 characters for new password.
set expire-status {enable | disable} Enable/disable password expiration.
set expire-day <1-999> Number of days before password expires.
set reuse-password {enable | disable} Enable/disable reuse of password. end
Password best practices
In addition to length and complexity, there are security factors that cannot be enforced in a policy. Guidelines issued to users will encourage proper password habits.
Best practices dictate that password expiration also be enabled. This forces passwords to be changed on a regular basis. You can set the interval in days. The more sensitive the information this account has access to, the shorter the password expiration interval should be. For example 180 days for guest accounts, 90 days for users, and 60 days for administrators.
Avoid:
l real words found in any language dictionary l numeric sequences, such as “12345” l sequences of adjacent keyboard characters, such as “qwerty” l adding numbers on the end of a word, such as “hello39” l adding characters to the end of the old password, such as “hello39” to “hello3900” l repeated characters l personal information, such as your name, birthday, or telephone number.
Maximum login attempts and blackout period
When you login and fail to enter the correct password you could be a valid user, or a hacker attempting to gain access. For this reason, best practices dictate to limit the number of failed attempts to login before a blackout period where you cannot login.
To set a maximum of five failed authentication attempts before the blackout, using the following CLI command:
config user setting set auth-invalid-max 5
end
To set the length of the blackout period to five minutes, or 300 seconds, once the maximum number of failed login attempts has been reached, use the following CLI command:
config user setting set auth-blackout-time 300
end