cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
81549
Views
4
Helpful
5
Replies

Enforcing Minimum Password Length on switches, routers, and FWs

Khagler24
Level 1
Level 1

Cisco sent a letter addressing the lack of ability in enforcing a minimum password length on IOS devices and ASAs. In the letter, Cisco states that "With the shipping versions of Cisco IOS as of the current date, the native capabilities allow for encrypting the password as well as specifying a minimum length."

In regards to specifying a minimum length, I believe Cisco is referring to Autosecure for routers. But I don't know of any way to set a minimum password length on switches, even though Cisco states that it is natively support by IOS. I also know of no way to do this with ASAs. I know we can enforce several policies with TACACS, but we're looking for device IOS capabilities.

I'd also like to know what is meant by a "shipping version" of IOS. I'd always thought that a device came with a base IOS with a base license.

Thanks for the time and help.

2 Accepted Solutions

Accepted Solutions

With "shipping version" the newest available versions are ment. If you don't use them, some of these fancy new features can't be used.

For the ASA:

asa(config)# password-policy ?

configure mode commands/options:

  authenticate-enable  Enable the user authentication feature

  lifetime             Set password lifetime

  minimum-changes      Set minimum character changes between old and new

                       password

  minimum-length       Set minimum password length

  minimum-lowercase    Set minimum number of lowercase password characters

  minimum-numeric      Set minimum number of numeric password characters

  minimum-special      Set minimum number of special password characters

  minimum-uppercase    Set minimum number of uppercase password characters

IOS-Router:

router(config)#security passwords min-length ?

  <0-16>  Minimum length of all user/enable passwords

For the Catalyst I'm not aware of a corresponding setting. But the best option is to let the TACACS-server control these settings.

View solution in original post

p.mcgowan
Level 3
Level 3

you can set password min-length by using the following command;

security passwords min-length

Full details of the command can be found here;

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_s1gt.html#wp1204059

Please rate post if helpful

View solution in original post

5 Replies 5

With "shipping version" the newest available versions are ment. If you don't use them, some of these fancy new features can't be used.

For the ASA:

asa(config)# password-policy ?

configure mode commands/options:

  authenticate-enable  Enable the user authentication feature

  lifetime             Set password lifetime

  minimum-changes      Set minimum character changes between old and new

                       password

  minimum-length       Set minimum password length

  minimum-lowercase    Set minimum number of lowercase password characters

  minimum-numeric      Set minimum number of numeric password characters

  minimum-special      Set minimum number of special password characters

  minimum-uppercase    Set minimum number of uppercase password characters

IOS-Router:

router(config)#security passwords min-length ?

  <0-16>  Minimum length of all user/enable passwords

For the Catalyst I'm not aware of a corresponding setting. But the best option is to let the TACACS-server control these settings.

Thanks karsten for your time and knowledge. This is exactly what I was looking for.

p.mcgowan
Level 3
Level 3

you can set password min-length by using the following command;

security passwords min-length

Full details of the command can be found here;

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_s1gt.html#wp1204059

Please rate post if helpful

I have a Cisco  9200L switch running IOS XE version 16.12.4 and the command for setting the minimum password length is not present.

 

NBS-BT-ICT-C9200L(config)#security ?
% Unrecognized command

How can set the password length?

Hello,

 

I checked all command references up to the latest Bengaluru (17.6.x) release, there is no command to set the minimum password length, unfortunately...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: