The Low Down on “security password min-length”

Although it is a trivial command, I wanted to sort of take a deep dive into how the “security passwords min-length” actually works. I had some hypothesis and preconceptions that I wanted to prove or disprove. Specifically, I wanted to answer the question does this command work retroactively and warn administrators that EXISTING passwords may be shorter than the length specified. This article is a quick recap of this and all of my findings.

The IOS command “security passwords min-length <x>” is a command that restricts the use of local passwords that are shorter than “<x>”. This is an obvious attempt to force administrators into creating more secure local passwords on routers and switches. This command does not address the complexity requirements (mixed case, special characters, etc) that are often necessary to meet an organizations security best practices.

The Command

Router(config)#security passwords min-length ?
    Minimum length of all user/enable passwords

Router(config)#security passwords min-length

Out of curiosity, I wanted to find out exactly how this command works. Does it work retroactively and identify previously set password that are outside the requirement? If so, how does it determine the length of an MD5 hashed “secret”? Does it apply to all “line”, “enable secret”, “enable password” and the local username database? How about passwords used to authenticate to a remote system with authentication protocols like CHAP and PAP.

For testing purposes, I started out by enabling “service password-encryption” and creating the password “cisco” in several iterations. As seen below, IOS required me to use an alternate password for “enable password”.

Router(config)#service password-encryption
Router(config)#enable secret cisco
Router(config)#enable password cisco
The enable password you have chosen is the same as your enable secret.
This is not recommended.  Re-enter the enable password.

Router(config)#enable password cisco1
Router(config)#username test1 password cisco
Router(config)#username test2 secret cisco  
Router(config)#line vty 0 15
Router(config-line)#password cisco

Router(config-line)#do show run | inc vty|username|enable|password
service password-encryption
enable secret 5 $1$J3j1$kDafwbNSYVLpmYqLXYA/F1
enable password 7 00071A1507545A
username test1 password 7 01100F175804
username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y.
line vty 0 4
 password 7 104D000A0618
line vty 5 15
 password 7 104D000A0618

Next I started working through my questions. The first question was, “Does this command work retroactively to determine if previously entered passwords are too short?”

Router(config)#security passwords min-length 8
Router(config)#

That didn’t seem to do anything. However for verification, I tested to see if the “too short” credentials could still be used be used.

Router(config)#do telnet 192.0.2.1
Trying 192.0.2.1 ... Open

User Access Verification

Password: 
Router>en
Password: 
Router#exit

[Connection to 192.0.2.1 closed by foreign host]
Router(config)#

Based on this, we can see that this command does not work retroactively. Therefore, the question regarding how the length of an MD5 hashed password can be determined is irrelevant.

The next question was, “Does this apply to all local passwords?” This would include “enable secret”, “enable password”, line passwords, and the local user database.

Router(config)#enable secret cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#enable password cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#username test1 password cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#username test2 secret cisco  
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#line vty 0 15
Router(config-line)#password cisco
% Password too short - must be at least 8 characters. Password configuration failed

Based on this, it does appear that the command does apply to all locally configured passwords. What about PAP or CHAP passwords required to authenticate to a remote system?

Router(config)#int serial 0/0
Router(config-if)#encapsulation ppp
Router(config-if)#ppp authentication pap chap 
Router(config-if)#ppp pap sent-username test password cisco
Router(config-if)#ppp chap hostname test
Router(config-if)#ppp chap password cisco

It appears that credentials stored for accessing a remote system are NOT included in the “password min-length” command.

Next, I wanted to try to circumvent the system. This time, I pasted the already hashed type 5 passwords and the type 7 XORed passwords.

Router(config)#enable secret 5 $1$J3j1$kDafwbNSYVLpmYqLXYA/F1

Router(config)#enable password 7 00071A1507545A

Router(config)#username test1 password 7 01100F175804
% Password too short - must be at least 8 characters. Password configuration failed

Router(config)#username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y.

Router(config)#line vty 0 15
Router(config-line)# password 7 104D000A0618
% Password too short - must be at least 8 characters. Password configuration failed

As seen in the output, the router is perfectly happy to accept some of the encrypted passwords, while it prevents others. Specifically, it seems to take the substandard md5 passwords and the type 7 enable password. However it doesn’t accept the type 7 passwords on the line and in the local user database.

I found it odd that the simple enable password was accepted. Thinking this might be the case because “enable password” is effectively unused when “enable secret” is in use, I wanted to run one more test. This time, I wanted to test the short “enable password” after removing the “secret”.

Router(config-line)#no enable secret
Router(config)#enable password 7 00071A1507545A
Router(config)#

Obviously, this is inconsistent with the checks applied to other type 7 passwords when entered this way.

After getting to this point, one more thought crossed my mind. What would happen in a reboot? Would the “min-length” command be loaded prior to the type 7 password that are too short and prevent some passwords from loading into running-config?

A quick reboot of the system proved that the type 7 passwords that failed earlier when re-adding them in their type 7 format also were not merged into the running configuration.

Running Configuration (relevant sections)

service password-encryption
security passwords min-length 8
enable password 7 00071A1507545A
username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y.
interface serial 0/0
 ppp chap password 7 13061E010803
 ppp pap sent-username test password 7 094F471A1A0A
line vty 0 4
line vty 5 15

Startup Configuration (relevant sections)

service password-encryption
security passwords min-length 8
enable password 7 00071A1507545A
username test1 password 7 01100F175804
username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y.
interface serial 0/0
 ppp chap password 7 13061E010803
 ppp pap sent-username test password 7 094F471A1A0A
line vty 0 4
 password 7 104D000A0618
line vty 5 15
 password 7 104D000A0618

Based on this, my conclusion is that the “security password min-length” command is applied when changing or setting a password through the normal mechanisms. It does effectively stop some type 7 passwords from being set when attempting to enter them in their type 7 format. However this behavior is not completely consistent. Additionally, this command does not effect passwords stored locally for fulfilling remote authentication requests when prompted by a remote device. It is also worth noting that type 7 local usernames with a “too short” password will not be merged into running config after a reboot. Therefore, care must be taken when adding the minimum length criteria on a production system.

Additional Recommended Reading–
CCNA Security 640-554 Official Cert Guide (Official Certificate Guide)

About These Advertisements

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in CCNA Security, Certification, Security, Technology and tagged , . Bookmark the permalink.

Leave a Reply