Manual Chapter :
About secure password policy enforcement
Applies To:
Show Versions
BIG-IP LTM
- 16.0.1, 16.0.0, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
About secure password policy enforcement
In versions of BIG-IP prior to 14.0.0, Secure Password Policy is available but
not enabled. Beginning with BIG-IP version 14.0.0, Secure Password Policy is enabled by
default. This means that on new installations, the passwords for root and admin
accounts are expired and must be changed upon initial login. This only applies to new
installations and does not apply to upgrades or UCS load. Password policy settings from
the UCS file are imported, so if you load a UCS from an 13.1 (or earlier) onto version
14.0 and the password policy was set to disabled in that UCS, then the password policy
will be disabled on version 14.0.
When you login to either the admin or root account, you will be
prompted to change the password. Whichever account password you change first will also
set the password for the other account. For example, if on a new installation you change
the admin password for the first time, the root password will also be changed. This is a
one-time event; meaning that future changes to the root password will not affect the
password for the admin user ID.
During an upgrade, the password policy settings from the previous version are rolled
forward. This means that you will not encounter the secure password policy enforcement
settings if you are upgrading; only on new installations or on a reset to factory
default.
The new password must be more than 6 characters long and must pass
basic pam_cracklib checks including:
- cannot be a dictionary word
- cannot be a palindrome of the old password
- cannot be a case change only of an older password
- cannot be a rotated version of the old password
- cannot be too similar to the old password
- cannot be too simple
