FortiOS v7.6.5 introduces a security enhancement where a global administrator password policy is automatically enabled after upgrade. This forces any administrator accounts that do not meet the new requirements to change passwords to a more complex, 12‑character format at the next login. See this document: Password policy enforcement.

After the upgrade, if a system administrator's password does not meet the following minimum requirements, the administrator is prompted to update the password upon login before access is granted.

• 12 characters.
• 1 uppercase letter.
• 1 lowercase letter.
• 1 special character.
• 1 number.

If a more restrictive password-policy was in place before the upgrade, the more restrictive password-policy is retained. It is possible to disable the global password-policy manually after the upgrade, although this is not recommended.

Before upgrading, it is advised to update the existing password-policy to meet the minimum requirements that will be enforced after the upgrade, and update administrator credentials accordingly. This allows administrators to follow any existing change management procedures when updating credentials.

GUI method:

• Go to System -> Settings.
• Under the Security section, adjust Password scope and other password policy parameters.
  
  

   

CLI method:

config system password-policy
    set status enable
    set apply-to admin-password
    set minimum-length 12
    set min-lower-case-letter 1
    set min-upper-case-letter 1
    set min-non-alphanumeric 1
    set min-number 1
    set expire-status disable
    set reuse-password enable
    set reuse-password-limit 0
    set login-lockout-upon-weaker-encryption disable
end

Note: As part of this change, the lower bound of the minimum-length password-policy parameter is increased from 8 in previous FortiOS versions to 12 in FortiOS v7.6.5. Starting in this version, if a password-policy is enforced, the minimum password length must be at least 12 characters.