2.2.1 Ensure 'Password Policy' is enabled - minimum-length

Information

It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.

Rationale:

Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.

Impact:

Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings.

Solution

can be modified from CLI or GUI
From CLI, do the following:

config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end

or From GUI, do the following

1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90

Default Value:

By Default, Password Policy is disabled, can be checked from CLI as follows:

config system password-policy

set status disable

end

Or from GUI as follows:

1) log in to FortiGate as Super Admin

2) Go to 'System '-> 'Settings'

3) find the 'password Policy' Section

4) Default 'Password scope' is 'Off'

See Also

https://workbench.cisecurity.org/files/4077