1.1.3 Configure Secure Password Policy - Ensure Maximum Login Failures

Information

To assist users in maintaining strong passwords, ensure that passwords are changed at appropriate intervals and new passwords to be used

Rationale:

Having a weak or non-existent password policy will allow users to use weak or easily cracked passwords.

Impact:

Without proper password management the users are more likely to select weak passwords or forget complex passwords. This can create security risks as these passwords make it easier for attackers to crack.

Solution

Configuring the password policy using the Configuration utility
1.Log in to the Configuration utility.
2. Navigate to System > Users > Authentication.
3. Under Password Policy, locate the Secure Password Enforcement setting and set it to meet below minimum requirements :

Configuring the password policy using tmsh
1. Log in to tmsh by typing the following command:
tmsh:
modify /auth password-policy


The minimum requirements :

- Secure Password Enforcement : Enabled
- Minimum Password Length is 12
- Required Lowercase is 1
- Required Uppercase is 1
- Required Numeric is 1
- Required Special Characters is 1
- Maximum Duration (in Days): 180
- Minimum Duration (in Days): 90
- Expiration Warning ( in days):14
- EnsurePassword Memory is 24
- Ensure Maximum Login Failures is 3
- User Lockout : Automatically enable locked-out users after : 300 seconds

**Notice: Some settings can be done through Configuration Utility only while others are done through tmsh only.**

See Also

https://workbench.cisecurity.org/files/3587

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.2, CSCv7|4.4

Plugin: F5

Control ID: 8b32e965ed68f917cabe5d736eace2b95a336478273a73f2f0bd04129bd2a5ea