While configuring a back-end authentication store is the recommended configuration, at least one local administrative account must be configured. For this reason, ensuring a minimum bar for password strength for all local administrative accounts is important. Enabling this setting enforces passwords that conform to the following rules: At least eight characters long Does not contain many consecutive characters (such as 'abcd') Does not contain many repeating characters (such as 'aaabbb') Does not contain dictionary words Does not contain proper names Contains both uppercase and lowercase characters Contains numbers Rationale: While in ideal conditions local credentials won't be used, there are many scenarios (such as deployed on a purely public network or on an air gapped network) where this is the only option. Even if a back-end authentication source is used, if that service is not available the fall-back authentication is often to local credentials. Impact: Having a simple password (for instance, based on a dictionary word) for administrative credentials makes that account susceptible to credential stuffing attacks. Even if using a back-end credential store such as TACACS+ or RADIUS, an attacker can drill down to the local credentials by taking the back-end service offline.
Solution
A single command enables this: switch(config)# password strength-check Default Value: Password strength checking is enabled by default. When enabled, this setting does not appear in the configuration. When enabled, the password strength settings are: At least eight characters long Does not contain many consecutive characters (such as 'abcd') Does not contain many repeating characters (such as 'aaabbb') Does not contain dictionary words Does not contain proper names Contains both uppercase and lowercase characters Contains numbers Additional Information: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_0/nx-os/security/configuration/guide/sec_nx-os_config/sec_rbac.html#wp1314939