Improvements in Password Management on Cisco Devices

I noticed, especially in the last year of my classroom instruction, special attention being given to password management on all Cisco security devices. This post provides an overview of notable enhancements to the IOS® router and Intrusion Prevention System platforms. The reader will note that many of these enhancements were made to code releases issued in the past one to two years.

With the dramatic daily increases in computing power, the often quoted Moore’s law of the exponential increase in computing power still holds true. What took days to run in terms of computing time some thirty years ago on the first IBM PC can now run in a fraction of a second.  Cryptographic implementations of message hash and encryption algorithms have been forced to utilize longer bit and key lengths, respectively. Similarly, short all-text passwords in letters of the same case are subject to compromise in a very short time.

To illustrate this, shown below is a screenshot of a password strength calculator. Accepting the default values as shown gives the unacceptable result of compromise within a minute!

Without displaying the additional screenshots, by gradually selecting the additional options below on the left column and continuing on the right (chars in upper case, digits, and common punctuation), the time to crack increases to 13, 31, and 74 minutes. Finally, if full ASCII (which would include special characters like hyphens and underscores, for example) is selected, the output below is obtained. Unquestionably, this is still an unacceptable solution.

If this exercise is continued with the full ASCII option maintained while increasing the password length, the time value more drastically increases to 19 days and then 5 years for 6 and 7 character passwords respectively. Finally, below we see the result for 8 characters.

Not surprisingly, Cisco Systems introduced the following global configuration command in IOS® release 12.3: security passwords min-length. Since this release is now more than five years old, it is also not surprising that the default value for this command is 6 characters, which, by what was shown above, is unacceptably weak. Many on-line references give a minimum length of 8 full ASCII character passwords as the minimum constraint.

In the Cisco Intrusion Prevention System Device Manager GUI interface version 7.0, there is a provision for specifying password creation rules for local sensor user accounts. The screenshot of this for the default settings is shown here:

Note that many of the selectable choices present in the password calculator (mixed case char-acters, “other” (or ASCII) characters) are mentioned here. When used properly, this feature can enforce the creation of appropriately strong password. I find it interesting that the above IOS® and IPS features are curiously absent on the Cisco ASA appliance.

In this article

Join the Conversation