Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

password (Login)

Syntax

Hierarchy Level

Description

Configure special requirements such as character length and encryption format for plain-text passwords. Newly created passwords must meet these requirements.

Using several password minimum requirement options will cause the minimum-length to be reset if the total sum of the required minimums exceeds the minimum-length setting.

Options

change-type

Set requirements for using character sets in plain-text passwords. When you combine this statement with the minimum-changes statement, you can check for the total number of character sets included in the password or for the total number of character-set changes in the password. Newly created passwords must meet these requirements.

  • Values: Specify one of the following:

    • character-sets—The number of character sets in the password. Valid character sets include uppercase letters, lowercase letters, numbers, punctuation, and other special characters.

    • set-transitions—The number of transitions between character sets.

format

Configure the authentication algorithm for plain-text passwords. The hash algorithm that authenticates the password can be one of these algorithms:

  • Values:

    • sha256—Secure Hash Algorithm 256. Produces a 256-bit digest. The encrypted password starts with $5$.

    • sha512—Secure Hash Algorithm 512. Produces a 512-bit digest. The encrypted password starts with $6$.

  • Default: For Junos OS, the default encryption format is sha512.

maximum-length length

Specify the maximum number of characters allowed in plain-text passwords. Newly created passwords must meet this requirement.

  • Range: 20 through 128 characters

  • Default: For Junos-FIPS software, the maximum number of characters for plain-text passwords is 20. For Junos OS, no maximum is set.

maximum-lifetime days

Specify the maximum duration of a password in days, where the password expires after the maximum duration is reached. If you have the required permissions, you are able to control the maximum duration of a password. If the age of the password reaches the maximum time configured, the password expires and must be changed. If your password has expired, you cannot commit a configuration until you change your password. Only passwords for local user accounts can expire based on time configured on the maximum lifetime statement.

Note:

You cannot reuse the same password when the password expires, unless you also configure the number of times the password can be reused on the minimum-reuse statement. Older passwords cannot be re-configured on password expiry. Therefore, if you want to reuse an old password, you must configure the minimum-reuse statement as well as the maximum-lifetime statement in the new configuration, otherwise the commit fails.

If the maximum-lifetime statement is configured, a validation check for an expired password is performed at the time of login and at the time of commit based on the password timestamp. For passwords configured before the minimum-reuse configuration statement is committed, the timestamp of the passwords is the time at which any configuration under the [edit system login] hierarchy is committed following the commit for the minimum-reuse statement. For passwords configured after minimum-reuse configuration statement is committed, the timestamp of the passwords is the time at which those passwords are committed.

  • Range: 30 through 365 days

minimum-changes number

Specify the minimum number of character sets (or character set changes) required for plain-text passwords. Newly created passwords must meet this requirement.

This statement is used in combination with the change-type statement. If the change-type is character-sets, then the number of character sets included in the password is checked against the specified minimum. If change-type is set-transitions, then the number of character set changes in the password is checked against the specified minimum.

  • Default: For Junos OS, the minimum number of changes is 1. For Junos-FIPS Software, the minimum number of changes is 3.

minimum-character-changes number

Specify the minimum number of character changes between old and new passwords. Newly created passwords must meet this requirement. If you have the required permissions, you are able to configure the number of character changes between passwords. If the number of character changes between the old password and new password is greater than or equal to the configured value for minimum number of character changes, the new password is accepted. If the number of character changes is less than the configured value, the new password is rejected.

  • Range: 4 through 15 characters

minimum-length length

Specify the minimum number of characters required in plain-text passwords. Newly created passwords must meet this requirement.

This statement can be used in combination with all of the other requirement options for plain-text passwords, such as minimum-upper-cases, minimum-punctuations, minimum-lower-cases, and so on.

Using several password minimum requirement options will cause the minimum password length to be reset if the total sum of the required minimums exceeds the setting configured on the minimum-length statement.

  • Default: For Junos OS, the minimum number of characters for plain-text passwords is six. For Junos-FIPS software, the minimum number of characters for plain-text passwords is 10.

  • Range: 6 through 20 characters

minimum-lifetime days

Specify in days the minimum duration of a password before the password can be changed. If you have the required permissions, you are able to control the minimum lifetime of a password. You cannot change the password if the age of the password does not exceed the duration configured on the minimum-lifetime statement. When you change a password, the age of the existing password is retrieved based on the time at which the password was configured and the current time is fetched. If the age of the password is less than or equal to the configured value for the minimum-lifetime statement, the new password is not accepted and an error message is displayed. If the age of the password is more than the configured value for the minimum-lifetime statement, the new password is accepted.

Note:

The minimum-lifetime statement can be committed only after configuring the minimum-reuse statement. The minimum lifetime statement works in coordination with password history requirements, else the commit fails and an error message is displayed.

If minimum-lifetime is configured, password change for a user is accepted or rejected based on the timestamp of the current password for that user. For passwords configured before the minimum-reuse configuration statement is committed, the timestamp of the passwords is the time at which any configuration under the [edit system login] hierarchy is committed following the commit for the minimum-reuse statement. For passwords configured after minimum-reuse configuration statement is committed, the timestamp of the passwords is the time at which those passwords are committed.

  • Range: 1 through 30 days

minimum-lower-cases number

Specify the minimum number of lower-case letters required in plain-text passwords. Newly created passwords must meet this requirement.

This statement can be used in combination with all of the other requirement options for plain-text passwords, such as minimum-length, minimum-punctuations, minimum-upper-cases, and so on.

Using several password minimum requirement options will cause the minimum password length to be reset if the total sum of the required minimums exceeds the setting configured on the minimum-length statement.

  • Range: 1 through 128 lower-case letters

minimum-numerics number

Specify the minimum number of numeric-class characters required in plain-text passwords. Newly created passwords must meet this requirement.

This statement can be used in combination with all of the other requirement options for plain-text passwords, such as minimum-length, minimum-punctuations, minimum-lower-cases, and so on.

Using several password minimum requirement options will cause the minimum password length to be reset if the total sum of the required minimums exceeds the setting configured on the minimum-length statement.

  • Range: 1 through 128 numeric-class characters

minimum-punctuations number

Specify the minimum number of punctuation-class characters required in plain-text passwords. Newly created passwords must meet this requirement.

This statement can be used in combination with all of the other requirement options for plain-text passwords, such as minimum-length, minimum-upper-cases, minimum-lower-cases, and so on.

Using several password minimum requirement options will cause the minimum password length to be reset if the total sum of the required minimums exceeds the setting configured on the minimum-length statement.

  • Range: 1 through 128 punctuation-class characters

minimum-reuse number

Specify the number of old passwords which should not match the new password. Newly created passwords must meet this requirement. If you have the required permissions, you are able to control the number of old passwords that need to be compared. The number of old passwords to compare with the new password depends on the value configured. If a match is found between the new password and any of the old passwords, the device rejects the new password and terminates. If the new password is different from the configured number of old passwords, the new password is accepted.

  • Range: 1 through 20 passwords

minimum-upper-cases

Specify the minimum number of upper-case letters required in plain-text passwords. Newly created passwords must meet this requirement.

This statement can be used in combination with all of the other requirement options for plain-text passwords, such as minimum-length, minimum-punctuations, minimum-lower-cases, and so on.

Using several password minimum requirement options will cause the minimum password length to be reset if the total sum of the required minimums exceeds the setting configured on the minimum-length statement.

  • Range: 1 through 128 upper-case letters

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 7.4.

Statements minimum-lower-cases, minimum-numerics, minimum-punctuations, and minimum-upper-cases introduced in Junos OS Release 12.1.

All of the previously mentioned statements were introduced in Junos OS Release 14.1X53-D20 for the OCX Series.

Statements minimum-reuse and minimum-character-changes introduced in Junos OS Release 18.3.

Statements maximum-lifetime and minimum-lifetime introduced in Junos OS Release 18.4.

Option sha1 is not supported in Junos OS Evolved.

sha1 option deprecated in Junos OS Release 22.2R1.