Ireda
Sep 12, 2023Cirrostratus
APM Password policy
Dears We need to enable the password policy on IT-Admin accounts as per the below details, Is the below ok, or what is recommended? Is there any impact?
Like Amine_Kadimi suggested those parameters need to be verfied by your security team and the business policy.
But looking at the numbers you have selected, for "Required Characters" look very heavy, hey i like heavy i work in security but this is a standard policy for all users so this might cause you a issue.
So you have set a 14 character min, cool. Recommendations seem to be going to 20+ characters for admins, but as a standard policy in the f5 you can't set different rules.
The point i want to make here is you have requested
Number:6
Upper Case: 3
Lower Case: 3
Other: 2
So this is a minimum config.
So you are asking for a something like 3D4g!g8DF5w6£0 or more characters.
In CIS, it only suggests you have 14 characters and at least 1 Upper case, 1 lower case and 1 other.
A quick google found this that might help - https://www.securden.com/blog/top-10-password-policies.html
Or look at CIS if you have the log in creds.
This doesn't mean that the password can't have more, it just means the enforcement is lower and normally you have to find a good balance with your user community. If this isn't a issue then you should be fine.
My other question, is when you say IT-Admin is this a internal group for RBAC or are you talking about the default "admin" account as these parameters do not affect that account as its a break glass account if nothing else.
I normally use a password manager and set a 32 character password with everything thrown at it for that account!
(And the root one)
Thanks for your support, Noted.
Please I have other some questions.
1- how can I send expiration notifications?
2- If the user did not see the notification, the expiration period is finished and the user is locked, how user can change the password?
3- if the user is locked, is another admin can unlock this user? if yes, is the user must change the password after unlock, or maybe user's last password?
Thanks