1.3.1 Ensure 'Minimum Password Complexity' is enabled

Information

This checks all new passwords to ensure that they meet basic requirements for strong passwords.

Rationale:

Password complexity recommendations are derived from the USGCB (United States Government Configuration Baseline), Common Weakness Enumeration, and benchmarks published by the CIS (Center for Internet Security). Password complexity adds entropy to a password, in comparison to a simple password of the same length. A complex password is more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. However, making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Enabled to be checked
Set that the various password settings to values that are appropriate to your organization. It is suggested that there at least be some special characters enforced, and that a minimum length be set. Ensure that non-zero values are set for Minimum Uppercase, Lowercase and Special Characters. 'Block Username Inclusion' should be enabled.
Operationally, dictionary words should be avoided for all passwords - passphrases are a much better alternative.

Impact:

Simple passwords make an attacker's job very easy. There is a reasonably short list of commonly used admin passwords for network infrastructure, not enforcing password lengths and complexity can lend itself to making an attacker's brute force attack successful.

Default Value:

Not enabled.

References:

'PAN-OS Administrator's Guide 9.0 (English) - Best Practices for Securing Administrative Access' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html

See Also

https://workbench.cisecurity.org/files/2692