Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure password complexity

0

0

Article ID: KB28967 KB Last Updated: 26 Mar 2020Version: 2.0
Summary:

A complex password is recommended to prevent access to a firewall by an unauthorized user. This article provides information about configuring password complexity parameters on an SRX.

Symptoms:

A type of password attack known as a Brute Force attack, for example, constantly tries random usernames and passwords to acquire access to the device. The time taken by a Brute Force mechanism to guess the correct password is directly proportional to the complexity of the password. Therefore, a complex password is recommended.

Solution:

The Junos OS provides multiple options for setting the complexity of passwords.

Creating a Complex Password

Set the following options according to your requirements and commit the changes:

root@SRX# set system login password minimum-length 10
root@SRX# set system login password maximum-length 22
root@SRX# set system login password change-type set-transitions
root@SRX# set system login password minimum-changes 4

minimum-length: Specifies the minimum number of characters required for a password. By default, Junos OS passwords must be at least 6 characters long. The valid range for this option is 6 to 20 characters.

maximum-length: Specifies the maximum number of characters allowed in a password. By default, Junos OS passwords have no maximum; however, only the first 128 characters are significant. The range for Junos OS maximum-length passwords is 20 to 128 characters.

change-type set-transitions: This option can be further configured in two ways:

root@SRX# set system login password change-type ?
Possible completions:
character-sets   Count number of character type
set-transitions  Count changes in character type

If the change-type statement is configured for the character-set option, the minimum-changes value must be 5 or less because Junos OS supports only five character sets (lowercase letters, uppercase letters, numbers, punctuation, and the following special characters: ! @ # $ % ^ & * , +< > : ;).

minimum-changes: Specifies how many character sets or character set changes are required for the password. If you do not use the minimum-changes statement, character sets are not checked for Junos OS.

Notes
  • Changes to password requirements do not take effect until the configuration is committed.

  • When requirements change, only newly created, plain-text passwords are checked; existing passwords are not checked against the new requirements.

  • The default configuration for Junos OS plain-text passwords is below:

[edit system login]
root@SRX# show
passwords {
     change-type character-sets;
     format md5;
     minimum-changes 1;
     minimum-length 6;
}


Verifying Password Complexity

Use the set system root-authentication plain-text-password command to check that your password meets the security requirements.

As per the above configuration example, a password should have a minimum of 10 characters, a maximum of 22 characters, and a minimum of 4 changes between character sets.

The examples below show the output of a few set system root-authentication plain-text-password commands.

7 characters only

root@SRX# set system root-authentication plain-text-password
New password: JuN!p3R
<7 characters only>
error: minimum password length is 10
 

More than 22 characters

root@SRX# set system root-authentication plain-text-password
New password:
JuN!p3RJuN!p3RJuN!p3RJuN!p3R <more than 22 characters>
error: maximum password length is 22
 

Only 1 transition from upper case to digit (R-1)

root@SRX# set system root-authentication plain-text-password
New password: JUNIPER123
<only 1 transition from upper case to digit (R-1)>
error: require 5 changes of case, digits or punctuation
 

Password meets all the requirements, prompts to retype

<Password meets all the requirements, prompts to retype>
root@SRX# set system root-authentication plain-text-password
New password:
JuN!p3R123 <Password meets all the requirements, prompts to retype>
Retype new password:

This password has 10 characters and the following transitions: J-u, u-N, N-!, !-p, p-3, 3-R, R-1. It meets all the configured requirements. After the password is typed and Enter is pressed, you are prompted to re-enter the password as it appears.

Modification History:

2020-03-26: Article reviewed for accuracy; it is valid and accurate

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search