Password Policy

This section explains how to configure your platform:

  • To enforce creation of strong passwords.

  • To monitor and prevent use of already used passwords.

  • To force users to change passwords at regular intervals.

One of the important elements of securing your Check Point cyber security platform is to set user passwords and create a good password policy.

Note - The password policy does not apply to non-local users that authentication servers such as RADIUS manage their login information and passwords. In addition, it does not apply to non-password authentication, such as the public key authentication supported by SSH.

To set and change user passwords, see Users and User Management.

Password Strength

Strong, unique passwords that use a variety of character types and require password changes, are key factors in your overall cyber security.

Password History Checks

The password history feature prevents users from using a password they have used before when they change their password.

The number of already used passwords that this feature checks against is defined by the history length.

Password history check is enabled by default.

The password history check:

  • Applies to user passwords set by the administrator and to passwords set by the user.

  • Does not apply to SNMPv3 USM user pass phrases.

These are some considerations when using password history:

  • The password history for a user is updated only when the user successfully changes password.

    If you change the history length, for example: from ten to five, the stored passwords number does not change.

    Next time the user changes password, the new password is examined against all stored passwords, maybe more than five.

    After the password change succeeds, the password file is updated to keep only the five most recent passwords.

  • The password history is only stored if the password history feature is enabled when the password is created.

  • The new password is checked against the previous password, even if the previous password is not stored in the password history.

Mandatory Password Change

The mandatory password change feature requires users to use a new password at defined intervals.

Forcing users to change passwords regularly is important for a strong security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

You can set user passwords to expire after a specified number of days.

When a password expires, the user is forced to change the password the next time the user logs in.

This feature works together with the password history check to get users to use new passwords at regular intervals.

The mandatory password change feature does not apply to SNMPv3 USM user pass phrases.

Deny Access to Unused Accounts

You can deny access to unused accounts. If there were no successful login attempts within a set time, the user is locked out and cannot log in.

You can also configure the allowed number of days of non-use before a user is locked-out.

Deny Access After Failed Login Attempts

You can deny access after too many failed login attempts. The user cannot log in during a configurable time.

You can also allow access again after a user was locked out.

In addition, you can configure the number of failed login attempts that a user is allowed before being locked out.

When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero.