Detections
Analytics

1.4.3 Set password lifetime, warning time and grace time for local credentials

Information

NX-OS has commands to adjust the permitted lifetime of passphrases for local credentials, as well as the "warning time" before expiry and the "grace time" after expiry.If local credentials are in use, it is recommended that these be set to a value appropriate to the organization.Note that these timers cannot be set for the "admin" credential.

Regularly changing passwords helps mitigate the risks associated with compromised credentials, as passwords can be compromised through various means such as phishing attacks, data breaches, or being shared inadvertently. Even if your password is strong, it might still be leaked in a data breach from another service, so regularly changing passwords reduces the impact of such leaks by ensuring compromised passwords eventually become outdated. Additionally, regular password changes encourage users to maintain good security hygiene, serving as a reminder to choose strong, unique passwords and avoid reusing old ones. Many organizations have policies and compliance requirements that mandate regular password changes, and adhering to these policies ensures that security standards are met and reduces the risk of non-compliance penalties. Finally, if an attacker gains access to an account, they can maintain access for an extended period if the password is never changed. Regularly changing passwords helps disrupt such long-term unauthorized access.

In accordance with CIS password guidance it is recommended that you change the passphrase every 365 days or less.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To set passphrase timers globally:

switch(config)# userpassphrase default-warntime <days>
switch(config)# userpassphrase default-gracetime <days>
switch(config)# userpassphrase default-lifetime <days>

example:

switch(config)# userpassphrase default-warntime 10
switch(config)# userpassphrase default-gracetime 10
switch(config)# userpassphrase default-lifetime 365

To set passphrase time values per-user:

switch(config)# username <userid> passphrase lifetime <days> warntime <time in days> gradetime <time in days>

example

switch(config)# username test passphrase lifetime 365 warntime 10 gracetime 10

Impact:

If local credentials are in regular use, it is recommended that a reasonable (non default) value be set for the passphrase timer values. <xhtml:br/> The default of an infinite lifetime is of course not appropriate. Previous guidance of password changes on 30 or 60 day cycles however is also not appropriate if complex passwords are used and enforced.Some middle ground should be set - for instance, a password change cycle on a 6 or 12 month rotation is often easy to track.

This entire discussion illustrates clearly why it is most often advisable to use a back-end authentication source for credential storage. In an organization that has multiple switches and other infrastructure, setting a password rotation is a recipe that has the risk of missing or entirely forgetting the change date, or of missing one or more devices in the change procedure. Since password recovery after the grace period involves a reboot of the entire switch, this end result is undesirable in the extreme.

The best recommendation is to set a long, complex password for any local administrative accounts, then use a back-end authentication source, so that these local accounts are only used in the event that the back-end authentication source is not reachable.

See Also

https://workbench.cisecurity.org/benchmarks/16139

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(9), 800-53|AU-2, 800-53|AU-12, 800-53|IA-5(1), CSCv7|4.4

Plugin: Cisco

Control ID: ef1ef12150a21a8d6145883f7570c27680dfbf97d420fa194a26822de032d716