6.6.10 Ensure at least 4 set changes in local passwords

Information

Passwords for local user accounts must be configured to require at least 4 character set changes.

Rationale:

Weak passwords on local user accounts present a serious threat to the security of any device, allowing malicious user access through simple dictionary or brute force attacks.

Fortunately JUNOS provides a mechanism for enforcing complexity requirements when new passwords are initially set in plain-text.

Secure passwords should contain characters from at least 4 different character sets (Upper case letters, Lower case letters, Numbers, Punctuation and Special Characters) and JUNOS should be configured to force users' passwords to meet this requirement.

Solution

Configure the minimum character set changes using the following command under the [edit system] hierarchy:

[edit system]
user@host#set login passwords minimum-changes 4

Default Value:

For routers running JUNOS the default is minimum changes is 1. For routers running JUNOS FIPS the default is 3.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 7ffb66f77bdb3c5b8a51f4442cafc22b83cddac12b9b5a799f5dbd7c9f0081ac