Catalyst 1300 password change rejected error

claritas_solutions.com · ‎01-21-2025

A curious situation found on initial fresh-out-of-the-box setup on a Catalyst 1300 (running v4.0.0.93)

When prompted to set a new username/password, a password was randomly generated ("uU&5Oo2!JfeQmjsB") and entered, only to get this response:

"Password rejected - passwords cannot contain commonly used passwords or known breached passwords."

Generating and entering a different random password went through without error, but I was curious what about this password caused the error.

Is this an odd coincidence, i.e. is this genuinely a collision with a known leaked password (which seems quite hard to believe)?

Or is this triggering some other password policy issue that isn't so obvious?

Flavio Miranda · ‎01-21-2025

@claritas_solutions.com

This could be the "!" in the middle. Exclamation mark have meaning for IOS.

claritas_solutions.com · ‎01-21-2025

That's a reasonable thought (although it's not IOS - I'd suspect it's probably related to the Cisco Small Business switches firmware, some elements of the default config smell a little similar).

So I've tested substituting "!" with other things, and replacing the "&" as well, and they also trigger the same error:

uU&5Oo2iJfeQmjsB

uU&5Oo2#JfeQmjsB

uUp5Oo2iJfeQmjsB

I did wonder if it was the letter repetition, but testing that shows it only triggers at 4 or more repeated characters, and the error for that is different.

Will probably just have to chalk it up to weirdness!

Flavio Miranda · ‎01-21-2025

@claritas_solutions.com

This is the password policy for SMB devices

Configure Password Complexity Settings

The password complexity settings of the switch enable complexity rules for passwords. If this feature is enabled, new passwords must conform to the following default settings:

Have a minimum length of eight characters.
Contain characters from at least four character classes such as uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard.
Are different from the current password.
Contain no character that is repeated more than three times consecutively.
Do not repeat or reverse the users name or any variant reached by changing the case of the characters.
Do not repeat or reverse the manufacturers name or any variant reached by changing the case of the characters.

"Will probably just have to chalk it up to weirdness!"

Probably.

claritas_solutions.com · ‎01-21-2025

The password policy in this case is similar, but has one additional element (number 7):

Please note that the new password must comply to the following password complexity rules:
1. The password must be at least 8 characters long.
2. Password must contain at least 3 of the following types: lowercase letters, uppercase letters, numeric digits or special characters.
3. A character can not be repeated consecutively more than 3 times.
4. The password cannot contain more than 2 sequential characters or numbers, or the reverse value of these sequences.
5. The password cannot contain the username or a reversed form of username.
6. The password cannot contain the manufacturer or product name or a reversed form of such.
7. The password cannot contain a password that is part of a predefined list of breached or dictionary based passwords.

And it is most likely from the error that number 7 is the one being triggered - just feels really strange for a random string to trigger that one!