cisco passwords - enforcing minimum password · pdf filecisco passwords - enforcing minimum...
TRANSCRIPT
Cisco Passwords - Enforcing Minimum Password Length
Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A two-letter password could require up to 26*26=676 combinations. The number of possible combinations (and therefore required time) grows rapidly as the length of the password (as well as the allowed characters) increases and this method quickly becomes so time-consuming that it is essentially useless.
Dictionary Attack – A dictionary attack uses a brute-force technique of successively trying all the words in an exhaustive list (from a pre-arranged list of values). In contrast with a normal brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words in a dictionary. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.*
*Wikipedia entry
Common Types of Password Attacks
Password Best PracticesCisco Password GuidelinesUse 'enable secret' rather than 'enable password'Use 'service password-encryption' to provide "over-the-shoulder" (Vigenère cipher) password encryptionUse 'username secret' (password encrypted with an MD5 hash) rather than 'username password'Limit the number of failed login attempts (outside the scope of this lesson)
General Password GuidelinesRequire users to change passwords at regular intervalsMake passwords case-sensitiveSet a minimum password length restriction Do not allow common words or names to be used as passwordsRequire the use of numbers and special characters in passwords*New passwords should significantly differ from previous passwords**Change passwords immediately if they may have been compromised.
Once you've created a password policy, publish it and make sure that users understand and follow it.
*These are most effective in the middle of the password: p@ss6969w0rd is much better than password6969** If your old password was password1, then password2 should not be an option for the new password
This gives you the ability to manage passwords far better than in IOS, but you will still need to know how to best manage passwords in IOS for a couple of reasons:
Enable password – you will most likely want/need to configure an enable password on the device itself
Loss of connectivity to the authentication server – there will be times when you lose communications between your device and the authentication server. You will need to configure your device to use local authentication during these outages.
Other types of passwords – you may have some locally configured passwords and keys such as TACACS+ keys, SNMP community strings, OSPF authentication keys, etc. You will want to make sure that these items are as secure as possible.
Password Best Practices
Cisco recommends:As a security best practice, passwords must be managed with a TACACS+ or RADIUS authentication server.
While most of the general password best practices cannot be enforced by Cisco IOS (such as requiring passwords to be changed frequently, use of special characters, etc), one best practice that you can enforce in Cisco IOS is a minimum-length requirement. We can configure this with the ‘security passwords min-length ‘ command.
Setting a Minimum Password Length
security passwords min-length
The security passwords min-length command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets, and line passwords. After this command is enabled, any password that is less than the specified length will fail.
r1(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords
Cisco claims that the default for this command is 6. I didn’t find this to be the case:
r1(config)#line vty 0 4r1(config-line)#password ar1(config-line)#
As always, your results may vary based on IOS version and platform.
security passwords min-length
r1(config)#security passwords min-length 6
r1(config)#enable pass 12345
% Password too short - must be at least 6 characters. Password configuration failed
Does NOT affect the state of pre-existing passwords:r1(config)#enable pass 12345
r1(config)#security passwords min-length 6
r1(config)#exit
r1#disable
r1>enable
Password:[12345]<-password is still 5 char - it was set before min-length 6 was set
But new passwords MUST be 6 or more characters in length:r1(config)#username packetlab pass 12345
% Password too short - must be at least 6 characters. Password configuration failed
While in most production environments usernames and passwords will be handled by an authentication server such as TACACS+ or RADIUS, you will still need to configure passwords on the local device for some operations. In such cases, it’s good to have a password policy in effect. While Cisco IOS does not provide mechanisms to meet all of the general password best practices, it does provide a mechanism for one of the most basic and important best practices: enforcing a minimum password length policy.
‘security passwords min-length’ allows you to specify a minimum password length between 0 and 16 characters. This feature is not enabled by default (may vary by IOS version and hardware platform). Once enabled, it will not affect pre-existing passwords. When considering the minimum-length value, always weigh security versus usability. Setting the minimum length to 16 characters is the most secure, but might make the passwords too long/unwieldy for most users. Cisco’s (supposed) default of 6 characters seems to me to be a good “minimum minimum length”.
Summary