Secure password policy for the BIG-IP enforcement

Question

Hi,&nbsp;I've made some adjustements to the secure password policy, but I'm still abe to create a new user with a password which doesnt match the requirements.&nbsp;I noticed that I'm not able to login - which is good, but should there not be a waring or not even able to set a password which doesnt meet the requirements?&nbsp;(tmos)# list /auth password-policy all-properties
auth password-policy {
    description none
    expiration-warning 7
    lockout-duration 0
    max-duration 99999
    max-login-failures 6
    min-duration 0
    minimum-length 10
    password-memory 0
    policy-enforcement enabled
    required-lowercase 1
    required-numeric 1
    required-special 0
    required-uppercase 1
}
(tmos)# create auth user test1 password 1234
(tmos)# list auth user test1
auth user test1 {
    description test1
    encrypted-password $6$CX2o0f4l$uxR8vZ9rw3LLD3hYOgUeJrqfZjbXtMdvhNXgKNspdVU2S7ywVewhX/qFH9AOqSNsrdnpf2JA4St9BpyBxUAV60
    partition Common
    partition-access {
        all-partitions {
            role guest
        }
    }
    session-limit -1
    shell none&nbsp;&nbsp;

michael_saleem · Answer

I just tested this on v16.1.3.4 and can confirm that it works for me:(tmos)# list auth password-policy all-properties
auth password-policy {
    description none
    expiration-warning 7
    lockout-duration 0
    max-duration 99999
    max-login-failures 0
    min-duration 0
    minimum-length 12
    password-memory 0
    policy-enforcement enabled
    required-lowercase 1
    required-numeric 1
    required-special 1
    required-uppercase 1
}

(tmos)# create auth user test1 password 1234
There were warnings:
WARNING! Role no-access will lockout the user test1.

01070366:3: Bad password (test1): BAD PASSWORD: it is too shortThere was no need to manually enable BigDB key users.strictpasswords" since this gets enabled automatically as soon as you enable the policy-enforcement setting in TMSH (modify auth password-policy policy-enforcement enabled)&nbsp;

stefan_engel · Answer

Michael_Saleem&nbsp;thanks for testing. We are runnning on&nbsp;16.1.3.3. I'll upgrade our LAB and have it tested as well on&nbsp;16.1.3.4.&nbsp;&nbsp;

leslie_hubertus · Answer

Hi&nbsp;Stefan_Engel&nbsp;- to give this more visibility to try to help you get an answer, I'm featuring this in this week's Community Highlights. I'll also see if I can get a colleague to take a look.&nbsp;

stefan_engel · Answer

to add, strict password enforcement is enabeld too:(tmos)# list sys db users.strictpasswords
sys db users.strictpasswords {
    value "enable"
}

Forum Discussion

Secure password policy for the BIG-IP enforcement

4 Replies

Tyler - May 2026 Featured Member

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

R series - Host and Tenants IP in the same subnet

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

Sync error because Default logging profile and Custom profile both use local logging.

Ivanti MDM Core & F5 LTM/ASM with mTLS

Need BIG-IP VE Lab License for Personal Study/Learning

Related Content

Runtime API Security: From Visibility to Enforced Protection

LLM Prompt Injection Detection & Enforcement

AI Token Limit Enforcement

Password Safety & Security: Passwords vs. Passphrases

WS-Shield: WebSocket Abuse Detection & Adaptive Enforcement Gateway