[SRX] How to configure password complexity

The Junos OS provides multiple options for setting the complexity of passwords.

Creating a Complex Password

Set the following options according to your requirements and commit the changes:

root@SRX# set system login password minimum-length 10 root@SRX# set system login password maximum-length 22 root@SRX# set system login password change-type set-transitions root@SRX# set system login password minimum-changes 4

minimum-length: Specifies the minimum number of characters required for a password. By default, Junos OS passwords must be at least 6 characters long. The valid range for this option is 6 to 20 characters.

maximum-length: Specifies the maximum number of characters allowed in a password. By default, Junos OS passwords have no maximum; however, only the first 128 characters are significant. The range for Junos OS maximum-length passwords is 20 to 128 characters.

change-type set-transitions: This option can be further configured in two ways:

root@SRX# set system login password change-type ? Possible completions: character-sets Count number of character type set-transitions Count changes in character type

If the change-type statement is configured for the character-set option, the minimum-changes value must be 5 or less because Junos OS supports only five character sets (lowercase letters, uppercase letters, numbers, punctuation, and the following special characters: ! @ # $ % ^ & * , +< > : ;).

minimum-changes: Specifies how many character sets or character set changes are required for the password. If you do not use the minimum-changes statement, character sets are not checked for Junos OS.

Notes

Changes to password requirements do not take effect until the configuration is committed.

When requirements change, only newly created, plain-text passwords are checked; existing passwords are not checked against the new requirements.

The default configuration for Junos OS plain-text passwords is below:

[edit system login] root@SRX# show passwords { change-type character-sets; format md5; minimum-changes 1; minimum-length 6; }

Verifying Password Complexity

Use the set system root-authentication plain-text-password command to check that your password meets the security requirements.

As per the above configuration example, a password should have a minimum of 10 characters, a maximum of 22 characters, and a minimum of 4 changes between character sets.

The examples below show the output of a few set system root-authentication plain-text-password commands.

7 characters only

root@SRX# set system root-authentication plain-text-password New password: JuN!p3R<7 characters only>
error: minimum password length is 10

More than 22 characters

root@SRX# set system root-authentication plain-text-password New password:JuN!p3RJuN!p3RJuN!p3RJuN!p3R <more than 22 characters>
error: maximum password length is 22

Only 1 transition from upper case to digit (R-1)

root@SRX# set system root-authentication plain-text-password New password: JUNIPER123<only 1 transition from upper case to digit (R-1)>
error: require 5 changes of case, digits or punctuation

Password meets all the requirements, prompts to retype

<Password meets all the requirements, prompts to retype> root@SRX# set system root-authentication plain-text-password New password:JuN!p3R123 <Password meets all the requirements, prompts to retype>
Retype new password:

This password has 10 characters and the following transitions: J-u, u-N, N-!, !-p, p-3, 3-R, R-1. It meets all the configured requirements. After the password is typed and Enter is pressed, you are prompted to re-enter the password as it appears.

Knowledge Base

Creating a Complex Password

Verifying Password Complexity