Technical Tip: FortiGate upgrade to v7.6.5 will change the password policy automatically

FortiOS v7.6.5 introduces a security enhancement where a global administrator password policy is automatically enabled after upgrade. This forces any administrator accounts that do not meet the new requirements to change passwords to a more complex, 12‑character format at the next login. See this document: Password policy enforcement.

After the upgrade, if a system administrator's password does not meet the following minimum requirements, the administrator is prompted to update the password upon login before access is granted.

• 12 characters.
• 1 uppercase letter.
• 1 lowercase letter.
• 1 special character.
• 1 number.

If a more restrictive password-policy was in place before the upgrade, the more restrictive password-policy is retained. It is possible to disable the global password-policy manually after the upgrade, although this is not recommended.

Before upgrading, it is advised to update the existing password-policy to meet the minimum requirements that will be enforced after the upgrade, and update administrator credentials accordingly. This allows administrators to follow any existing change management procedures when updating credentials.

GUI method:

• Go to System -> Settings.
• Under the Security section, adjust Password scope and other password policy parameters.
  
  

   

CLI method:

config system password-policy     set status enable     set apply-to admin-password     set minimum-length 12     set min-lower-case-letter 1     set min-upper-case-letter 1     set min-non-alphanumeric 1     set min-number 1     set expire-status disable     set reuse-password enable     set reuse-password-limit 0     set login-lockout-upon-weaker-encryption disable end

Note: As part of this change, the lower bound of the minimum-length password-policy parameter is increased from 8 in previous FortiOS versions to 12 in FortiOS v7.6.5. Starting in this version, if a password-policy is enforced, the minimum password length must be at least 12 characters.

Note: If the password policy is applied after an administrator account has already been created, the currently logged-in administrator will remain authenticated and unaffected during that active session.

During the next login attempt, if the existing administrator password does not meet the newly applied password policy requirements, the system will prompt for a password change. The system will require the new password to meet the updated policy requirements before allowing access.