Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Enhance complexity options for local user password policy 7.4.1

    Enhance complexity options for local user password policy 7.4.1

    Note

    This information is also available in the FortiOS 7.4 Administration Guide:

    The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.

    config user password-policy
    edit <name>
        set minimum-length <integer>
        set min-lower-case-letter <integer>
        set min-upper-case-letter <integer>
        set min-non-alphanumeric <integer>
        set min-number <integer>
        set min-change-characters <integer>
        set expire-status {enable | disable}
        set reuse-password {enable | disable}
    next
end

    minimum-length <integer>

    Set the minimum password length (8 - 128, default = 8).

    min-lower-case-letter <integer>

    Set the minimum number of lowercase characters in the password (0 - 128, default = 0).

    min-upper-case-letter <integer>

    Set the minimum number of uppercase characters in the password (0 - 128, default = 0).

    min-non-alphanumeric <integer>

    Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0).

    min-number <integer>

    Set the minimum number of numeric characters in the password (0 - 128, default = 0).

    min-change-characters <integer>

    Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides reuse-password if both are enabled.

    set expire-status {enable | disable}

    Enable/disable password expiration (default = disable).

    set reuse-password {enable | disable}

    Enable/disable password reuse (default = enable. If both reuse-password and min-change-characters are enabled, min-change-characters overrides it.

    After upgrading, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status). If the password policy password expiration is not enabled, the expire-days <integer> option will not force users to change their password after number of specified days.

    Example

    The following user password policy is configured before upgrading:

    config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
    next
end
    To configure the user password policy options:

    1. Check the user password policy settings after the upgrade:

      config user password-policy 
    edit 1
        get 
            name                : 1
            expire-days         : 1
            warn-days           : 1
            expired-password-renewal: enable
            minimum-length      : 8
            min-lower-case-letter: 0
            min-upper-case-letter: 0
            min-non-alphanumeric: 0
            min-number          : 0
            min-change-characters: 0
            expire-status       : disable
            reuse-password      : enable
    next
end

    2. Edit the user password policy settings, including enabling password expiration:

      config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
        set min-lower-case-letter 1
        set min-upper-case-letter 1
        set min-non-alphanumeric 3
        set min-number 3
        set min-change-characters 2
        set expire-status enable
        set reuse-password disable
    next
end

    3. Change a password for a local user.

      1. In the CLI when the password meets the criteria:

        config user local
    edit pwd-test1
        set passwd CCbcset123!!!
    next
end

      2. In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):

        config user local
    edit pwd-test1
        set passwd CCbXsetp23!!!
New password must conform to the password policy enforced on this user:
Password must:
        Be a minimum length of 8
        Include at least 1 lower case letter(s) (a-z)
        Include at least 1 upper case letter(s) (A-Z)
        Include at least 3 non-alphanumeric character(s)
        Include at least 3 number(s) (0-9)
        Have at least 2 unique character(s) which don't exist in the old password
        Not be same as last two passwords   

node_check_object fail! for passwd CCbXsetp23!!!

value parse error before 'CCbXsetp23!!!'
Command fail. Return code -49

      3. In the GUI:

        1. Go to User & Authentication > User Definition and edit a local user.

        2. Click Change Password.

        3. Enter the New Password.

        4. Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.

        5. Click OK.

    Sample prompt when a local user needs to update their password for firewall authentication:

    Sample prompt when a local user needs to update their password for SSL VPN portal access:

    Previous
    Next

    Enhance complexity options for local user password policy 7.4.1

    Enhance complexity options for local user password policy 7.4.1

    Note

    This information is also available in the FortiOS 7.4 Administration Guide:

    The local firewall user password policy can be customized with various settings, such as minimum length, character types, and password reuse. These settings are similar to the ones available for the system administrator password policy, which offer more security and flexibility than the previous local user password policy.

    config user password-policy
    edit <name>
        set minimum-length <integer>
        set min-lower-case-letter <integer>
        set min-upper-case-letter <integer>
        set min-non-alphanumeric <integer>
        set min-number <integer>
        set min-change-characters <integer>
        set expire-status {enable | disable}
        set reuse-password {enable | disable}
    next
end

    minimum-length <integer>

    Set the minimum password length (8 - 128, default = 8).

    min-lower-case-letter <integer>

    Set the minimum number of lowercase characters in the password (0 - 128, default = 0).

    min-upper-case-letter <integer>

    Set the minimum number of uppercase characters in the password (0 - 128, default = 0).

    min-non-alphanumeric <integer>

    Set the minimum number of non-alphanumeric in the password (0 - 128, default = 0).

    min-number <integer>

    Set the minimum number of numeric characters in the password (0 - 128, default = 0).

    min-change-characters <integer>

    Set the minimum number of unique characters in new password, which do not exist in the old password (0 - 128, default = 0). This attribute overrides reuse-password if both are enabled.

    set expire-status {enable | disable}

    Enable/disable password expiration (default = disable).

    set reuse-password {enable | disable}

    Enable/disable password reuse (default = enable. If both reuse-password and min-change-characters are enabled, min-change-characters overrides it.

    After upgrading, users must activate the user password policy using the CLI. The previous password policy settings will remain valid, but they will not be effective unless the password policy password expiration is enabled (expire-status). If the password policy password expiration is not enabled, the expire-days <integer> option will not force users to change their password after number of specified days.

    Example

    The following user password policy is configured before upgrading:

    config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
    next
end
    To configure the user password policy options:

    1. Check the user password policy settings after the upgrade:

      config user password-policy 
    edit 1
        get 
            name                : 1
            expire-days         : 1
            warn-days           : 1
            expired-password-renewal: enable
            minimum-length      : 8
            min-lower-case-letter: 0
            min-upper-case-letter: 0
            min-non-alphanumeric: 0
            min-number          : 0
            min-change-characters: 0
            expire-status       : disable
            reuse-password      : enable
    next
end

    2. Edit the user password policy settings, including enabling password expiration:

      config user password-policy
    edit "1"
        set expire-days 1
        set warn-days 1
        set expired-password-renewal enable
        set min-lower-case-letter 1
        set min-upper-case-letter 1
        set min-non-alphanumeric 3
        set min-number 3
        set min-change-characters 2
        set expire-status enable
        set reuse-password disable
    next
end

    3. Change a password for a local user.

      1. In the CLI when the password meets the criteria:

        config user local
    edit pwd-test1
        set passwd CCbcset123!!!
    next
end

      2. In the CLI when the password does not meet the criteria (only two numbers, so an error message appears):

        config user local
    edit pwd-test1
        set passwd CCbXsetp23!!!
New password must conform to the password policy enforced on this user:
Password must:
        Be a minimum length of 8
        Include at least 1 lower case letter(s) (a-z)
        Include at least 1 upper case letter(s) (A-Z)
        Include at least 3 non-alphanumeric character(s)
        Include at least 3 number(s) (0-9)
        Have at least 2 unique character(s) which don't exist in the old password
        Not be same as last two passwords   

node_check_object fail! for passwd CCbXsetp23!!!

value parse error before 'CCbXsetp23!!!'
Command fail. Return code -49

      3. In the GUI:

        1. Go to User & Authentication > User Definition and edit a local user.

        2. Click Change Password.

        3. Enter the New Password.

        4. Enter the password again (Confirm Password). A warning will appear when the password does not match the criteria and indicates which parameters must be fixed. In this example, there are less than three numbers used.

        5. Click OK.

    Sample prompt when a local user needs to update their password for firewall authentication:

    Sample prompt when a local user needs to update their password for SSL VPN portal access:

    Previous
    Next