1.4.1 Enable Password Complexity Requirements for Local Credentials

Information

While configuring a back-end authentication store is the recommended configuration, at least one local administrative account must be configured. For this reason, ensuring a minimum bar for password strength for all local administrative accounts is important. Enabling this setting enforces passwords that conform to the following rules:

At least eight characters long

Does not contain many consecutive characters (such as 'abcd')

Does not contain many repeating characters (such as 'aaabbb')

Does not contain dictionary words

Does not contain proper names

Contains both uppercase and lowercase characters

Contains numbers

Rationale:

While in ideal conditions local credentials won't be used, there are many scenarios (such as deployed on a purely public network or on an air gapped network) where this is the only option. Even if a back-end authentication source is used, if that service is not available the fall-back authentication is often to local credentials.

Impact:

Having a simple password (for instance, based on a dictionary word) for administrative credentials makes that account susceptible to credential stuffing attacks. Even if using a back-end credential store such as TACACS+ or RADIUS, an attacker can drill down to the local credentials by taking the back-end service offline.

Solution

A single command enables this:

switch(config)# password strength-check

Default Value:

Password strength checking is enabled by default. When enabled, this setting does not appear in the configuration. When enabled, the password strength settings are:

At least eight characters long

Does not contain many consecutive characters (such as 'abcd')

Does not contain many repeating characters (such as 'aaabbb')

Does not contain dictionary words

Does not contain proper names

Contains both uppercase and lowercase characters

Contains numbers

Additional Information:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_0/nx-os/security/configuration/guide/sec_nx-os_config/sec_rbac.html#wp1314939

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Cisco

Control ID: fbf73a4c0c47c2224c1c1ec4ba192fad29127e88a728158c8a19a8420b0aa49e