Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Special Requirements for Junos OS Plain-Text Passwords

 

Junos OS has special requirements when you create plain-text passwords on a router or switch. Table 1 shows the default requirements.

Table 1: Special Requirements for Plain-Text Passwords

Junos OS

Junos-FIPS

The password must be between 6 and 128 characters long.

FIPS passwords must be between 10 and 20 characters long

You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.

You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.

Valid passwords must contain at least one change of case or character class.

Passwords must use at least three of the five defined character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters).

You can change the requirements for plain-text passwords.

Junos OS supports the following five character classes for plain-text passwords:

  • Lowercase letters

  • Uppercase letters

  • Numbers

  • Punctuation

  • Special characters

Control characters are not recommended.

For Junos OS Release 12.3X48 and later releases and in Junos OS with upgraded FreeBSD, all printable characters other than alpha-numeric and space(" ") are treated as punctuation. Space (" ") is considered as special character. Table 2 provides the punctuation and special character details.

Table 2: Punctuation Characters and Special Character in Junos OS

Characters Set

Characters

Punctuation characters

!

"

#

$

'

%

&

(

)

*

+

,

-

.

/

:

;

<

=

>

?

@

[

\

]

^

_

|

`

{

}

~

Special character

space (" ")

For information on releases supporting Junos OS with upgraded FreeBSD, see Upgrading Junos OS with Upgraded FreeBSD.

You can include the plain-text-password statement at the following hierarchy levels:

  • [edit system diag-port-authentication]

  • [edit system pic-console-authentication]

  • [edit system root-authentication]

  • [edit system login user username authentication]

    The change-type statement specifies whether the password is checked for the following:

    • The total number of character sets used (character-set)

    • The total number of character set changes (set-transitions)

    For example, the following password:

    has four character sets (uppercase letters, lowercase letters, special characters, and numbers) and seven character set changes (My, yP, Pa, sW, Wd, d@, and @2).

    The change-type statement is optional. If you omit the change-type option, Junos-FIPS plain-text passwords are checked for character sets, and Junos OS plain-text passwords are checked for character set changes.

    The minimum-changes statement specifies how many character sets or character set changes are required for the password. This statement is optional. If you do not use the minimum-changes statement, character sets are not checked for Junos OS. If the change-type statement is configured for the character-set option, then the minimum-changes value must be 5 or less, because Junos OS only supports five character sets.

    The format statement specifies the hash algorithm (md5, sha1, sha256, sha512 or des) for authenticating plain-text passwords. This statement is optional. For Junos OS, the default format is md5. For Junos-FIPS, only sha1 is supported.

    Note

    Starting with Junos OS Release 13.3, the sha1 does not enable secure, protected specification of passwords. Instead, you can use the sha256 or sha512 to specify passwords. Using a 256-bit or 512-bit cryptographic hash algorithm results in robust and reliable operation. Additionally, starting with Junos OS Release 17.1, user passwords default to sha512 cryptographic hashing.

    The maximum-length statement specifies the maximum number of characters allowed in a password. This statement is optional. By default, Junos OS passwords have no maximum; however, only the first 128 characters are significant. Junos-FIPS passwords must be 20 characters or less. The range for Junos OS maximum-length passwords is from 20 to 128 characters.

    The minimum-length statement specifies the minimum number of characters required for a password. This statement is optional. By default, Junos OS passwords must be at least 6 characters long, and Junos-FIPS passwords must be at least 10 characters long. The range is from 6 to 20 characters.

    Changes to password requirements do not take effect until the configuration is committed. When requirements change, only newly created, plain-text passwords are checked; existing passwords are not checked against the new requirements.

    The default configuration for Junos OS plain-text passwords is:

    The default configuration for Junos-FIPS plain-text passwords is:

Release History Table
Release
Description
Starting with Junos OS Release 13.3, the sha1 does not enable secure, protected specification of passwords. Instead, you can use the sha256 or sha512 to specify passwords.