Details
This determines the least number of characters that make up a password for a user account.
Rationale:
A longer password is much more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. Making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex. Passphrases are a commonly used recommendation, to make longer passwords more palatable to end users. Administrative staff however generally use “password safe” applications, so a long and complex password is more easily implemented for most infrastructure administrative interfaces.
Solution
Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Minimum Length to greater than or equal to 12
Impact:
Longer passwords are much more difficult to attack. This is true of attacks against the administrative interfaces themselves, or of decryption attacks against captured hashes. A longer password will almost always have a more positive impact than a shorter but more complex password.
Default Value:
Not enabled.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Palo_Alto.