Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode
Ensure that the NFX device is in FIPS mode before the administrator configure the Security Admin or any users. All passwords established for users by the Security Admin must conform to the following Junos OS in FIPS mode requirements. Attempts to configure passwords that do not conform to the following specifications result in an error.
Authentication data for fixed password authentication is a case-sensitive, value containing a
combination of alphanumeric and the following special characters: “!”, “@”, “#”, “$”, “%”,
“^”, “&”, “*”, “(“, “)”, “””, ”’”, ”+”, “,”, “-”, “.”, “/”, “:”, “;”, “<”, “=”, “>”,
“?”, “[”, “\”, “]”, “_”, “`”, “{”, “|”, “}”, “~”. The password complexity requirements must be
manually configured by the administrator via the CLI using the ‘set system login
password’ configuration hierarchy as per following specifications:
-
Minimum length – Range: 6 to 20 characters (default value set to 10 in FIPS mode if not explicitly configured). A minimum length configuration of 15 characters is recommended when used in CC configuration.
[ edit ] root@host:fips# set system login password minimum-length 15
-
Passwords must be configured to contain at least one character from each of the character sets (uppercase, lowercase, numeric, and special characters):
[ edit ] root@host:fips# set system login password minimum-upper-cases 1 root@host:fips# set system login password minimum-lower-cases 1 root@host:fips# set system login password minimum-numerics 1 root@host:fips# set system login password minimum-punctuations 1
-
Maximum length (optional) – Range: 20 through 128 characters (default value set to 128 if not explicitly configured).
Configure the hashing algorithm used for password storage as <sha256|sha512>.
[ edit ] root@host:fips# set system login password format <sha256|sha512>
The device supports ECDSA (P-256, P-384, and P-521) and RSA (2048, 3072, and 4092 modulus bit length) key-types.
The new hash algorithm affect only those passwords that are generated after commit.
Guidelines for strong passwords
Strong, reusable passwords can be based on letters from a favorite phrase or word and then concatenated with other unrelated words, along with added digits and punctuation. In general, a strong password is:
Easy to remember so that users are not tempted to write it down.
Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least one change of case, one or more digits, and one or more punctuation marks.
Changed periodically.
Not divulged to anyone.
Characteristics of weak passwords. Do not use the following weak passwords:
Words that might be found in or exist as a permuted form in a system files such as
/etc/passwd.The hostname of the system (always a first guess).
Any word or phrase that appears in a dictionary or other well-known source, including dictionaries and thesauruses in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies or television shows.
Permutations on any of the above—for example, a dictionary word with letters replaced with digits (
root) or with digits added to the end.Any machine-generated password. Algorithms reduce the search space of password-guessing programs and so must not be used.
Strong reusable passwords can be based on letters from a favorite phrase or word, and then concatenated with other, unrelated words, along with additional digits and punctuation.
Passwords should be changed periodically.