Password Rules for an Authorized Administrator

Ensure that the device is in FIPS mode before you configure the security administrator or any users. All passwords established for users by the security administrator must conform to Junos OS in FIPS mode requirements in Table 1. Attempts to configure passwords that do not conform to the following specifications result in an error.

Table 1: Password Specifications and Guidelines
Requirements	Details
Length	Passwords must contain at least 10 characters.
Character set	Passwords must contain at least three of the following five character sets: Uppercase letters Lowercase letters Digits Punctuation marks Keyboard characters are not included in the other four sets. These characters are the percent sign (%) and the ampersand (&). Note: Avoid control characters in passwords.
Authentication	All passwords and keys used to authenticate peers must contain at least 10 characters. In some cases, the number of characters must match the digest size.
Password encryption	To change the default encryption method (SHA512), include the `format` statement at the `[edit system login password]` hierarchy level.

Configure Password Rules for an Authorized Administrator
Guidelines for Strong Passwords and Characteristics of Weak Passwords

Configure Password Rules for an Authorized Administrator

Authentication data for fixed password authentication is a case-sensitive, value containing a combination of alphanumeric and the following special characters: !, @, #, $, %, ^, &, *, (, ), ~, ,, ,, ., /, :, ;, _, +, -, =, {, }, [, ], |, <, >, ”, ‘, \, and ?. The password complexity requirements must be manually configured by the administrator through CLI using the set system login password configuration hierarchy as per the following specifications:

Define the minimum password length requirement as 10 characters. The default value is 10 in FIPS mode if not explicitly configured. A minimum length of 15 characters is recommended when used in CC configuration.

Password must be configured to contain at least one character from each of the character sets (uppercase, lowercase, numeric, and special characters):

The hashing algorithm for user passwords can be either SHA512 or SHA256. SHA512 is the default hashing algorithm.
Commit the configuration:
Note:
The device supports ECDSA (P-256, P-384, and P-521) and RSA (2048, 3072, and 4092 modulus bit length) key types.

The new hash algorithm applies only to those passwords that are generated after committing this configuration.

Guidelines for Strong Passwords and Characteristics of Weak Passwords

Table 2 summarizes the guidelines for strong passwords and the characteristics of weak passwords.

Table 2: Guidelines for Strong Passwords and Characteristics of Weak Passwords
Guidelines for Strong Passwords	Characteristics of Weak Passwords
You can create strong and reusable passwords by using letters from a favorite phrase or word and concatenating these letters with unrelated words, digits, and punctuation marks.	Weak passwords typically exhibit several key characteristics that make the password easy to guess or crack, thereby compromising the security of an account or system. Avoid using the weak passwords.
Strong passwords are made up of alphanumeric characters and punctuation. For FIPS compliance, include at least one change of case, one or more digits, and one or more punctuation marks in the password.	Words that might be found in or exist as a permuted form in a system file such as `/etc/passwd`.
Strong passwords are easy to remember so that you are not tempted to write it down.	The hostname of the system (always a first guess)
You must change the passwords periodically	Any word or phrase that appears in a dictionary or a well-known source, including dictionaries and thesaurus in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies, or television shows. Permutations of any words or phrases mentioned above. For example, a dictionary word with letters replaced with digits (`r00t`) or with digits added at the end of the word.
You must not disclose the passwords to anyone To protect user credentials, the login system masks characters during password input, obscuring feedback effectively. This is the default behavior and requires no additional configuration.	Any machine-generated password. Algorithms reduce the search space of password-guessing programs, and you must not use machine-generated password.