Manual Chapter : About secure password policy enforcement

Applies To:

Show Versions Show Versions


  • 16.0.1, 16.0.0, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

About secure password policy enforcement

In versions of BIG-IP prior to 14.0.0, Secure Password Policy is available but not enabled. Beginning with BIG-IP version 14.0.0, Secure Password Policy is enabled by default. This means that on new installations, the passwords for root and admin accounts are expired and must be changed upon initial login. This only applies to new installations and does not apply to upgrades or UCS load. Password policy settings from the UCS file are imported, so if you load a UCS from an 13.1 (or earlier) onto version 14.0 and the password policy was set to disabled in that UCS, then the password policy will be disabled on version 14.0.
When you login to either the admin or root account, you will be prompted to change the password. Whichever account password you change first will also set the password for the other account. For example, if on a new installation you change the admin password for the first time, the root password will also be changed. This is a one-time event; meaning that future changes to the root password will not affect the password for the admin user ID.
During an upgrade, the password policy settings from the previous version are rolled forward. This means that you will not encounter the secure password policy enforcement settings if you are upgrading; only on new installations or on a reset to factory default.
The new password must be more than 6 characters long and must pass basic pam_cracklib checks including:
  • cannot be a dictionary word
  • cannot be a palindrome of the old password
  • cannot be a case change only of an older password
  • cannot be a rotated version of the old password
  • cannot be too similar to the old password
  • cannot be too simple