Multiple password policies can be created and implemented for different groups, as opposed to enforcing a global password policy.
When a user is a member of multiple user groups, FortiAuthenticator applies the strictest password policy settings. For example, if two password policies have different password expiry periods, FortiAuthenticator applies the shortest expiry period.
|For load-balancing HA (A-A), new password policy settings in user groups must be manually duplicated on the backup unit(s).|
You can enforce a minimum length and complexity for user passwords, and can force users to change their passwords periodically.
For information on setting a user’s password, and password recovery options, see Editing a user.
Go to Authentication > User Account Policies > Passwords and select Create New to configure a password policy.
- Under User Password Complexity, enter the minimum password length in the Minimum length field.
The default length is 8. The minimum length is 0, which means that there is no minimum length but the password cannot be empty.
- Optionally, select Check for password complexity and then configure the following password requirements as needed:
- Minimum upper-case letters
- Minimum lower-case letters
- Minimum numeric characters
Minimum non-alphanumeric characters
You can also enable Use non-alphanumeric characters in random passwords and enter the characters in the field provided.
- Under User Password Change Policy, optionally select Enable password expiry, then set the Maximum password age. When enabled, users are required to change their passwords after a period of time. Users are notified by email when their password is expiring. Accounts with expired passwords are disabled.
- Optionally, select Enforce password history to prevent users from creating a new password that is the same as their current password or recently used passwords. Then, enter the Number of passwords to remember. New passwords must not match any of the remembered passwords.
- Optionally, select Enable random password expiry to force randomly generated passwords to expire. Then, enter the number of hours after which a randomly generated password will expire in the Random passwords expire after field.
- Select OK to create the password policy.
The default maximum password age is 90 days. The minimum value allowed is 14 days.
You can also set the password renewal reminder intervals in the Send password renewal reminder on: field, separating each entry by a comma. The default is every 14, 7, 3, and 1 days.
For example, if three passwords are remembered (set by default), users cannot reuse any of their three previous passwords.
The default randomly generated password expiry age is 72 hours (or three days). The value can be set from 1 to 168 hours (or seven days).
You can also set the number of hours users have to set a new password upon receiving a new password email link. The default is 24 hours. The value can be set from 1 to 168 hours (or seven days).