You have the option to create a security policy for generating passwords for local BIG-IP system user accounts. A secure password policy ensures that BIG-IP system users who have local user accounts create and maintain passwords that are as secure as possible. The secure password policy feature includes two distinct types of password restrictions:
- Enforcement restrictions are character restrictions that you can enable or disable. They consist of the minimum password length and the required character types (numeric, uppercase, lowercase, and other kinds of characters). When you enable them, the system applies enforcement restrictions to all user accounts.
- Policy restrictions represent the minimum and maximum lengths of time that passwords can be active. This type of policy restriction also includes values for the number of days prior to password expiration on which the system warns users and the number of previous passwords that the BIG-IP system stores to prevent users from reusing former passwords. When you configure policy restrictions using the Configuration utility, policy restrictions apply to all user accounts. These restrictions are always enabled, although the default values provide a minimal amount of restriction.
The secure password policy feature affects passwords for the BIG-IP system's local user accounts only. Passwords for remotely stored user accounts are not subject to this local password policy but may be subject to a remote system's separate password policy.
Note: You can configure only one user authentication scheme for the system. When you select a remote authentication source, the page displays relevant configuration options.
To use the Configuration utility to configure the password policy for BIG-IP local user accounts, perform the following procedure:
1. Log in to the Configuration utility.
2. Go to System > Users > Authentication.
3. Under Password Policy, locate the Minimum Duration setting and configure it to meet your needs.
4. Select Update.
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system F5.