1.3.4 Set password length for local credentials


Password length should be set to some value that makes compromising any captured hashed difficult. This generally means that the maximum value of 127 should never be changed, and that the minimum value, which defaults to 8, should always be increased. Typical values for minimum passphrase length of administrative users are generally 20 characters or longer (values of 30 or 32 are often seen).
A specific value is not recommended, since then a savvy attacker may start their attack with 'only passwords of the exact length recommended in the CIS benchmark', which would reduce their attack time.


Passwords are stored in a non-reversible, hashed and salted format. If an attacker should 'harvest' a password hash, it is of course hashed in a non-reversible format - however, it can be decoded using dictionary and/or brute-force attacks using tools such as hashcat or John the Ripper (JtR). The single best obstacle to an attack of this type is password length - the longer the password the more difficult it is to decode.
Since the default password hash schema on the NX-OS version 9 platform is MD5, it's recommended that the password length be set to (and enforced at) some longer value, for instance 24, 32 or even longer values. This may seem lengthy, until you consider that with modern hardware running through the entire namespace of 8 or 9 characters is often easily done in less than an hour.

This discussion actually illustrates why the best recommendation is to not use local credentials at all, but rather to use a back-end authentication source (using RADIUS or TACACS+). In this scenario, local administrative accounts are only used if the back-end authentication source is unavailable. This makes any compromised local credentials much harder to use, a successful attack would have to also take back end authentication sources offline (or make them otherwise unavailable).


Not setting a maximum value leaves administrators with the freedom to set short passwords. If a stored configuration file is collected by an attacker (perhaps from a file share), this means that any password hashes in the stored configuration will be more likely to be 'cracked', giving the attacker the unencrypted credential to the target switch.


Passphrase length values can only be set globally, not per-local user

switch(config)# userpassphrase min-length <minimum passphrase length>
switch(config)# userpassphrase max-length <maximum passphrase length>

or in a single command:
userpassphrase min-length max-length

switch(config)# userpassphrase min-length 20
switch(config)# userpassphrase max-length 127

Or in a single command:

switch(config)# userpassphrase min-length 20 max-length 127

Default Value:

The default minimum passphrase length is 8. This has possible values between 8 and 127. The default maximum passphrase length is 127. This has possible values between 80 and 127.

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Cisco

Control ID: 1eda862f85bb0aa98b0d59ddb9b68f1b745450cdf1e0c5794d936ecc1b56b6fa