Passwords
Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:
- Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
- Use numbers in place of letters, for example,
passw0rd
. - Administrator passwords can be up to 64 characters.
- Include a mixture of letters, numbers, and upper and lower case.
- Use multiple words together, or possibly even a sentence, for example
keytothehighway
. - Use a password generator.
- Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from
password
topassword1
. - Make note of the password and store it in a safe place away from the management computer, in case you forget it or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation, or leaves the company. Alternatively, have two different admin logins.
Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then log in after the downgrade and re-configure the password.
Password policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:
- minimum length between 8 and 64 characters.
- if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
- if the password must contain numbers (1, 2, 3).
- if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
- where the password applies (admin or IPsec or both).
- the duration of the password before a new one must be specified.
To create a password policy - GUI
- Go to System > Settings.
- Configure Password Policy settings as required.
- Click Apply.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.
For information about recovering a lost password and enhancements to the process, see the Fortinet knowledge base or Resetting a lost Admin password.