Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Associated Password Rules for an Authorized Administrator Overview

An account for root is always present in a configuration and is not intended for use in normal operation. In the evaluated configuration, the root account is restricted to the initial installation and configuration of the evaluated device.

The authorized administrator is associated with a defined login class, and the administrator is assigned with all permissions. Data is stored locally for fixed password authentication.

Note:

Do not use control characters in passwords.

Use the following guidelines and configuration options for passwords and when selecting passwords for authorized administrator accounts. Passwords should be:

  • Easy to remember so that users are not tempted to write it down.

  • Changed periodically.

  • Private and not shared with anyone.

  • Contain a minimum of 10 characters. The minimum password length is 10 characters.

  • Include both alphanumeric and punctuation characters, composed of any combination of upper and lowercase letters, numbers, and special characters such as, “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. There should be at least a change in one case, one or more digits, and one or more punctuation marks.

  • Contain character sets. Valid character sets include uppercase letters, lowercase letters, numbers, punctuation, and other special characters.

  • Contain the minimum number of character sets or character set changes. The minimum number of character sets required in plain-text passwords in Junos FIPS is 3.

  • The hashing algorithm for user passwords can be either SHA256 or SHA512 (SHA512 is the default hashing algorithm).

  • If you are finished configuring the device, commit the configuration:

Note:

The device supports ECDSA (P-256, P-384, and P-521) and RSA (2048, 3072, and 4092 modulus bit length) key-types.

Note:

The new hash algorithm affect only those passwords that are generated after commit.

Weak passwords are:

  • Words that might be found in or exist as a permuted form in a system file such as /etc/passwd.

  • The hostname of the system (always a first guess).

  • Any words appearing in a dictionary. This includes dictionaries other than English, and words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so on. This prohibition includes common words and phrases from sports, sayings, movies, and television shows.

  • Permutations on any of the above. For example, a dictionary word with vowels replaced with digits (for example f00t) or with digits added to the end.

  • Any machine-generated passwords. Algorithms reduce the search space of password-guessing programs and so should not be used.

Strong reusable passwords can be based on letters from a favorite phrase or word, and then concatenated with other, unrelated words, along with additional digits and punctuation.

Related Documentation