Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode
Ensure that the NFX250 device is in FIPS mode before you configure the Crypto Officer or any users. All passwords established for users by the Crypto Officer must conform to the following Junos OS in FIPS mode requirements. Attempts to configure passwords that do not conform to the following specifications result in an error.
Length. Passwords must contain between 10 and 20 characters.
Character set requirements. Passwords must contain at least three of the following five defined character sets:
Keyboard characters not included in the other four sets—such as the percent sign (%) and the ampersand (&)
Authentication requirements. All passwords and keys used to authenticate peers must contain at least 10 characters, and in some cases the number of characters must match the digest size. .
Guidelines for strong passwords. Strong, reusable passwords can be based on letters from a favorite phrase or word and then concatenated with other unrelated words, along with added digits and punctuation. In general, a strong password is:
Easy to remember so that users are not tempted to write it down.
Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least one change of case, one or more digits, and one or more punctuation marks.
Not divulged to anyone.
Characteristics of weak passwords. Do not use the following weak passwords:
Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.
The hostname of the system (always a first guess).
Any word or phrase that appears in a dictionary or other well-known source, including dictionaries and thesauruses in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies or television shows.
Permutations on any of the above—for example, a dictionary word with letters replaced with digits (root) or with digits added to the end.
Any machine-generated password. Algorithms reduce the search space of password-guessing programs and so must not be used.