Cisco Passwords - Enforcing Minimum Password Length
Common Types of Password Attacks
Brute-Force Attack - tries every possible character combination as a password. To recover a
single-letter password would require up to 26 combinations. A two-letter password could
require up to 26*26=676 combinations. The number of possible combinations (and therefore
required time) grows rapidly as the length of the password (as well as the allowed characters)
increases and this method quickly becomes so time-consuming that it is essentially useless.
Dictionary Attack – A dictionary attack uses a brute-force technique of successively trying all
the words in an exhaustive list (from a pre-arranged list of values). In contrast with a normal
brute force attack, where a large proportion key space is searched systematically, a dictionary
attack tries only those possibilities which are most likely to succeed, typically derived from a list
of words in a dictionary. Generally, dictionary attacks succeed because many people have a
tendency to choose passwords which are short (7 characters or fewer), single words found in
dictionaries or simple, easily-predicted variations on words, such as appending a digit.*
*Wikipedia entry
Password Best Practices
Cisco Password Guidelines
Use 'enable secret' rather than 'enable password'
Use 'service password-encryption' to provide "over-the-shoulder" (Vigenère cipher) password encryption
Use 'username secret' (password encrypted with an MD5 hash) rather than 'username password'
Limit the number of failed login attempts (outside the scope of this lesson)
General Password Guidelines
Require users to change passwords at regular intervals
Make passwords case-sensitive
Set a minimum password length restriction
Do not allow common words or names to be used as passwords
Require the use of numbers and special characters in passwords*
New passwords should significantly differ from previous passwords**
Change passwords immediately if they may have been compromised.
Once you've created a password policy, publish it and make sure that users understand and follow it.
*These are most effective in the middle of the password: p@ss6969w0rd is much better than password6969
** If your old password was password1, then password2 should not be an option for the new password
Password Best Practices
Cisco recommends:
As a security best practice, passwords must be managed with a TACACS+ or RADIUS authentication server.
This gives you the ability to manage passwords far better than in IOS, but you will still need to know how to
best manage passwords in IOS for a couple of reasons:
Enable password – you will most likely want/need to configure an enable password on the device itself
Loss of connectivity to the authentication server – there will be times when you lose communications
between your device and the authentication server. You will need to configure your device to use local
authentication during these outages.
Other types of passwords – you may have some locally configured passwords and keys such as TACACS+
keys, SNMP community strings, OSPF authentication keys, etc. You will want to make sure that these items
are as secure as possible.
Setting a Minimum Password Length
While most of the general password best practices cannot be enforced by Cisco IOS (such as requiring
passwords to be changed frequently, use of special characters, etc), one best practice that you can enforce in
Cisco IOS is a minimum-length requirement. We can configure this with the ‘security passwords min-length ‘
command.
security passwords min-length
The security passwords min-length command provides enhanced security access to the router by allowing
you to specify a minimum password length, eliminating common passwords that are prevalent on most
networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets,
and line passwords. After this command is enabled, any password that is less than the specified length will
fail.
r1(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords
Cisco claims that the default for this command is 6. I didn’t find this to be the case:
r1(config)#line vty 0 4
r1(config-line)#password a
r1(config-line)#
As always, your results may vary based on IOS version and platform.
security passwords min-length
r1(config)#security passwords min-length 6
r1(config)#enable pass 12345
% Password too short - must be at least 6 characters. Password configuration failed
Does NOT affect the state of pre-existing passwords:
r1(config)#enable pass 12345
r1(config)#security passwords min-length 6
r1(config)#exit
r1#disable
r1>enable
Password:[12345]<-password is still 5 char - it was set before min-length 6 was set
But new passwords MUST be 6 or more characters in length:
r1(config)#username packetlab pass 12345
% Password too short - must be at least 6 characters. Password configuration failed
Summary
While in most production environments usernames and passwords will be handled by an authentication
server such as TACACS+ or RADIUS, you will still need to configure passwords on the local device for some
operations. In such cases, it’s good to have a password policy in effect. While Cisco IOS does not provide
mechanisms to meet all of the general password best practices, it does provide a mechanism for one of the
most basic and important best practices: enforcing a minimum password length policy.
‘security passwords min-length’ allows you to specify a minimum password length between 0 and 16
characters. This feature is not enabled by default (may vary by IOS version and hardware platform). Once
enabled, it will not affect pre-existing passwords. When considering the minimum-length value, always
weigh security versus usability. Setting the minimum length to 16 characters is the most secure, but might
make the passwords too long/unwieldy for most users. Cisco’s (supposed) default of 6 characters seems to
me to be a good “minimum minimum length”.