1.4.1 Enable Password Complexity Requirements for Local Credentials

Information

While configuring a back-end authentication store is the recommended configuration, at least one local administrative account must be configured. For this reason, ensuring a minimum bar for password strength for all local administrative accounts is important. Enabling this setting enforces passwords that conform to the following rules:

- At least eight characters long
- Does not contain many consecutive characters (such as "abcd")
- Does not contain many repeating characters (such as "aaabbb")
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers

While in ideal conditions local credentials won't be used, there are many scenarios (such as deployed on a purely public network or on an air gapped network) where this is the only option. Even if a back-end authentication source is used, if that service is not available the fall-back authentication is often to local credentials.

Solution

A single command enables this:

switch(config)# password strength-check

Impact:

Having a simple password (for instance, based on a dictionary word) for administrative credentials makes that account susceptible to credential stuffing attacks. Even if using a back-end credential store such as TACACS+ or RADIUS, an attacker can drill down to the local credentials by taking the back-end service offline.

See Also

https://workbench.cisecurity.org/benchmarks/16139

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Cisco

Control ID: fbf73a4c0c47c2224c1c1ec4ba192fad29127e88a728158c8a19a8420b0aa49e