Fortinet white logo
Fortinet white logo

Administration Guide

Password Policy

Password Policy

Allow admin users to configure a user password policy. The new password policy will affect all local administrators.

FortiSandbox allows you to create a password policy for local administrators. With this policy, you can enforce regular changes and specific criteria for a password policy including:

  • The minimum character requirements. Such as requirements for numbers, uppercase and special characters.
  • The number of days a password is set to expire for all local administrators.
  • If the new password must be unused.

If you add a password policy or change the requirements on an existing policy, users that are already logged into FortiSandbox may have their session interrupted to update the password to meet the new policy. Otherwise, the next time an administrator logs into the FortiSandbox via GUI/SSH/Telnet, the local administrator is prompted to update the password to meet the new requirements before proceeding to log in.

To create a password policy:

  1. Go to System > Password Policy.
  2. Click Enable. The User Password Policy page expands.
  3. Configure the password policy.
    Minimum password lengthEnter the minimum number characters the password must contain. The default is 6.
    Minimum character requirements

    Enable to specify the number required characters.

    Lower caseEnter the required number of lowercase characters. The default is 0.
    Upper caseEnter the required number of uppercase characters. The default is 0.
    Non-alphanumericEnter the required number of Non-alphanumeric characters. The default is 0.
    NumericEnter the required number of numeric characters. The default is 0.
    Enable password expiration (days) Enable to enter the number of days is set to expire. The default is 90 days,
    Allow password reuseAllow the user to reuse an old password. This option is enabled by default.

  4. Click Apply.
Tooltip
  • The Notifications icon in FortiSandbox will alert administrators the password will expire seven days before the expiration date
  • The password policy is also applied to following related features:
    • Maintainer account login FSA to reset the built-in admin's password. For more information, see the Best Practices Guide > Resetting user’s admin password.
    • Using CLI to create a new administrator.
    • The Json API function 33 Configure system administrator.

Password Best Practices

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital to preventing unauthorized access to your FortiSandbox. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example: passw0rd.
  • Administrator passwords can be up to 64 characters.
  • Include a mixture of numbers, symbols, and upper and lower case letters.
  • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.
  • Use a password generator.
  • Change the password regularly and always make the new password is unique and not a variation of the existing password. For example, do not change from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

Password Policy

Password Policy

Allow admin users to configure a user password policy. The new password policy will affect all local administrators.

FortiSandbox allows you to create a password policy for local administrators. With this policy, you can enforce regular changes and specific criteria for a password policy including:

  • The minimum character requirements. Such as requirements for numbers, uppercase and special characters.
  • The number of days a password is set to expire for all local administrators.
  • If the new password must be unused.

If you add a password policy or change the requirements on an existing policy, users that are already logged into FortiSandbox may have their session interrupted to update the password to meet the new policy. Otherwise, the next time an administrator logs into the FortiSandbox via GUI/SSH/Telnet, the local administrator is prompted to update the password to meet the new requirements before proceeding to log in.

To create a password policy:

  1. Go to System > Password Policy.
  2. Click Enable. The User Password Policy page expands.
  3. Configure the password policy.
    Minimum password lengthEnter the minimum number characters the password must contain. The default is 6.
    Minimum character requirements

    Enable to specify the number required characters.

    Lower caseEnter the required number of lowercase characters. The default is 0.
    Upper caseEnter the required number of uppercase characters. The default is 0.
    Non-alphanumericEnter the required number of Non-alphanumeric characters. The default is 0.
    NumericEnter the required number of numeric characters. The default is 0.
    Enable password expiration (days) Enable to enter the number of days is set to expire. The default is 90 days,
    Allow password reuseAllow the user to reuse an old password. This option is enabled by default.

  4. Click Apply.
Tooltip
  • The Notifications icon in FortiSandbox will alert administrators the password will expire seven days before the expiration date
  • The password policy is also applied to following related features:
    • Maintainer account login FSA to reset the built-in admin's password. For more information, see the Best Practices Guide > Resetting user’s admin password.
    • Using CLI to create a new administrator.
    • The Json API function 33 Configure system administrator.

Password Best Practices

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital to preventing unauthorized access to your FortiSandbox. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example: passw0rd.
  • Administrator passwords can be up to 64 characters.
  • Include a mixture of numbers, symbols, and upper and lower case letters.
  • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.
  • Use a password generator.
  • Change the password regularly and always make the new password is unique and not a variation of the existing password. For example, do not change from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.