Password policy

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example: passw0rd.
  • Administrator passwords can be up to 64 characters.
  • Include a mixture of numbers, symbols, and upper and lower case letters.
  • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.
  • Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password. for example, do not change from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy, including:

  • The minimum length, between 8 and 64 characters.
  • If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
  • If the password must contain numbers (1, 2, 3).
  • If the password must contain special or non-alphanumeric characters: !, @, #, $, %, ^, &, *, (, and )
  • Where the password applies (admin or IPsec or both).