Print Download PDF Send Feedback

Previous

Next

Password Policy

This section explains how to configure your platform:

One of the important elements of securing your Check Point cyber security platform is to set user passwords and create a good password policy.

Note - The password policy does not apply to nonlocal users that authentication servers such as RADIUS manage their login information and passwords. In addition, it does not apply to non-password authentication, such as the public key authentication supported by SSH.

To set and change user passwords, see Users and Change My Password.

Password Strength

Strong, unique passwords that use a variety of character types and require password changes, are key factors in your overall cyber security.

Password History Checks

The password history feature prevents users from using a password they have used before when they change their password. The number of already used passwords that this feature checks against is defined by the history length. Password history check is enabled by default.

The password history check

These are some considerations when using password history:

Mandatory Password Change

The mandatory password change feature requires users to use a new password at defined intervals.

Forcing users to change passwords regularly is important for a strong security policy. You can set user passwords to expire after a specified number of days. When a password expires, the user is forced to change the password the next time the user logs in. This feature works together with the password history check to get users to use new passwords at regular intervals.

The mandatory password change feature does not apply to SNMPv3 USM user pass phrases.

Deny Access to Unused Accounts

You can deny access to unused accounts. If there were no successful login attempts within a set time, the user is locked out and cannot log in. You can also configure the allowed number of days of non-use before a user is locked-out.

Deny Access After Failed Login Attempts

You can deny access after too many failed login attempts. The user cannot log in during a configurable time. You can also allow access again after a user was locked out. In addition, you can configure the number of failed login attempts that a user is allowed before being locked out. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero.