A complex password is recommended to prevent access to a firewall by an unauthorized user. This article provides information about configuring password complexity parameters on an SRX.
A type of password attack known as a Brute Force attack, for example, constantly tries random usernames and passwords to acquire access to the device. The time taken by a Brute Force mechanism to guess the correct password is directly proportional to the complexity of the password. Therefore, a complex password is recommended.
The Junos OS provides multiple options for setting the complexity of passwords.
Creating a Complex Password
Set the following options according to your requirements and commit the changes:
root@SRX# set system login password minimum-length 10
root@SRX# set system login password maximum-length 22
root@SRX# set system login password change-type set-transitions
root@SRX# set system login password minimum-changes 4
minimum-length: Specifies the minimum number of characters required for a password. By default, Junos OS passwords must be at least 6 characters long. The valid range for this option is 6 to 20 characters.
maximum-length: Specifies the maximum number of characters allowed in a password. By default, Junos OS passwords have no maximum; however, only the first 128 characters are significant. The range for Junos OS maximum-length passwords is 20 to 128 characters.
change-type set-transitions: This option can be further configured in two ways:
root@SRX# set system login password change-type ?
Possible completions:
character-sets Count number of character type
set-transitions Count changes in character type
If the change-type statement is configured for the character-set option, the minimum-changes value must be 5 or less because Junos OS supports only five character sets (lowercase letters, uppercase letters, numbers, punctuation, and the following special characters: ! @ # $ % ^ & * , +< > : ;).
minimum-changes: Specifies how many character sets or character set changes are required for the password. If you do not use the minimum-changes statement, character sets are not checked for Junos OS.
Notes
- Changes to password requirements do not take effect until the configuration is committed.
- When requirements change, only newly created, plain-text passwords are checked; existing passwords are not checked against the new requirements.
- The default configuration for Junos OS plain-text passwords is below:
[edit system login]
root@SRX# show
passwords {
change-type character-sets;
format md5;
minimum-changes 1;
minimum-length 6;
}
Verifying Password Complexity
Use the set system root-authentication plain-text-password
command to check that your password meets the security requirements.
As per the above configuration example, a password should have a minimum of 10 characters, a maximum of 22 characters, and a minimum of 4 changes between character sets.
The examples below show the output of a few set system root-authentication plain-text-password
commands.
7 characters only
root@SRX# set system root-authentication plain-text-password
New password: JuN!p3R
<7 characters only>
error: minimum password length is 10
More than 22 characters
root@SRX# set system root-authentication plain-text-password
New password:
JuN!p3RJuN!p3RJuN!p3RJuN!p3R
<more than 22 characters>
error: maximum password length is 22
Only 1 transition from upper case to digit (R-1)
root@SRX# set system root-authentication plain-text-password
New password: JUNIPER123
<only 1 transition from upper case to digit (R-1)>
error: require 5 changes of case, digits or punctuation
Password meets all the requirements, prompts to retype
<Password meets all the requirements, prompts to retype>
root@SRX# set system root-authentication plain-text-password
New password:
JuN!p3R123
<Password meets all the requirements, prompts to retype>
Retype new password:
This password has 10 characters and the following transitions: J-u, u-N, N-!, !-p, p-3, 3-R, R-1. It meets all the configured requirements. After the password is typed and Enter is pressed, you are prompted to re-enter the password as it appears.
2020-03-26: Article reviewed for accuracy; it is valid and accurate