Although it is a trivial command, I wanted to sort of take a deep dive into how the “security passwords min-length” actually works. I had some hypothesis and preconceptions that I wanted to prove or disprove. Specifically, I wanted to answer the question does this command work retroactively and warn administrators that EXISTING passwords may be shorter than the length specified. This article is a quick recap of this and all of my findings.
The IOS command “security passwords min-length <x>” is a command that restricts the use of local passwords that are shorter than “<x>”. This is an obvious attempt to force administrators into creating more secure local passwords on routers and switches. This command does not address the complexity requirements (mixed case, special characters, etc) that are often necessary to meet an organizations security best practices.
The Command
Router(config)#security passwords min-length ?
Minimum length of all user/enable passwords
Router(config)#security passwords min-length
Out of curiosity, I wanted to find out exactly how this command works. Does it work retroactively and identify previously set password that are outside the requirement? If so, how does it determine the length of an MD5 hashed “secret”? Does it apply to all “line”, “enable secret”, “enable password” and the local username database? How about passwords used to authenticate to a remote system with authentication protocols like CHAP and PAP.
For testing purposes, I started out by enabling “service password-encryption” and creating the password “cisco” in several iterations. As seen below, IOS required me to use an alternate password for “enable password”.
Router(config)#service password-encryption Router(config)#enable secret cisco Router(config)#enable password cisco The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password. Router(config)#enable password cisco1 Router(config)#username test1 password cisco Router(config)#username test2 secret cisco Router(config)#line vty 0 15 Router(config-line)#password cisco Router(config-line)#do show run | inc vty|username|enable|password service password-encryption enable secret 5 $1$J3j1$kDafwbNSYVLpmYqLXYA/F1 enable password 7 00071A1507545A username test1 password 7 01100F175804 username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y. line vty 0 4 password 7 104D000A0618 line vty 5 15 password 7 104D000A0618
Next I started working through my questions. The first question was, “Does this command work retroactively to determine if previously entered passwords are too short?”
Router(config)#security passwords min-length 8 Router(config)#
That didn’t seem to do anything. However for verification, I tested to see if the “too short” credentials could still be used be used.
Router(config)#do telnet 192.0.2.1 Trying 192.0.2.1 ... Open User Access Verification Password: Router>en Password: Router#exit [Connection to 192.0.2.1 closed by foreign host] Router(config)#
Based on this, we can see that this command does not work retroactively. Therefore, the question regarding how the length of an MD5 hashed password can be determined is irrelevant.
The next question was, “Does this apply to all local passwords?” This would include “enable secret”, “enable password”, line passwords, and the local user database.
Router(config)#enable secret cisco % Password too short - must be at least 8 characters. Password configuration failed Router(config)#enable password cisco % Password too short - must be at least 8 characters. Password configuration failed Router(config)#username test1 password cisco % Password too short - must be at least 8 characters. Password configuration failed Router(config)#username test2 secret cisco % Password too short - must be at least 8 characters. Password configuration failed Router(config)#line vty 0 15 Router(config-line)#password cisco % Password too short - must be at least 8 characters. Password configuration failed
Based on this, it does appear that the command does apply to all locally configured passwords. What about PAP or CHAP passwords required to authenticate to a remote system?
Router(config)#int serial 0/0 Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication pap chap Router(config-if)#ppp pap sent-username test password cisco Router(config-if)#ppp chap hostname test Router(config-if)#ppp chap password cisco
It appears that credentials stored for accessing a remote system are NOT included in the “password min-length” command.
Next, I wanted to try to circumvent the system. This time, I pasted the already hashed type 5 passwords and the type 7 XORed passwords.
Router(config)#enable secret 5 $1$J3j1$kDafwbNSYVLpmYqLXYA/F1 Router(config)#enable password 7 00071A1507545A Router(config)#username test1 password 7 01100F175804 % Password too short - must be at least 8 characters. Password configuration failed Router(config)#username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y. Router(config)#line vty 0 15 Router(config-line)# password 7 104D000A0618 % Password too short - must be at least 8 characters. Password configuration failed
As seen in the output, the router is perfectly happy to accept some of the encrypted passwords, while it prevents others. Specifically, it seems to take the substandard md5 passwords and the type 7 enable password. However it doesn’t accept the type 7 passwords on the line and in the local user database.
I found it odd that the simple enable password was accepted. Thinking this might be the case because “enable password” is effectively unused when “enable secret” is in use, I wanted to run one more test. This time, I wanted to test the short “enable password” after removing the “secret”.
Router(config-line)#no enable secret Router(config)#enable password 7 00071A1507545A Router(config)#
Obviously, this is inconsistent with the checks applied to other type 7 passwords when entered this way.
After getting to this point, one more thought crossed my mind. What would happen in a reboot? Would the “min-length” command be loaded prior to the type 7 password that are too short and prevent some passwords from loading into running-config?
A quick reboot of the system proved that the type 7 passwords that failed earlier when re-adding them in their type 7 format also were not merged into the running configuration.
Running Configuration (relevant sections)
service password-encryption security passwords min-length 8 enable password 7 00071A1507545A username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y. interface serial 0/0 ppp chap password 7 13061E010803 ppp pap sent-username test password 7 094F471A1A0A line vty 0 4 line vty 5 15
Startup Configuration (relevant sections)
service password-encryption security passwords min-length 8 enable password 7 00071A1507545A username test1 password 7 01100F175804 username test2 secret 5 $1$oP2E$NZWtTscYAIhlZk5KF.I/y. interface serial 0/0 ppp chap password 7 13061E010803 ppp pap sent-username test password 7 094F471A1A0A line vty 0 4 password 7 104D000A0618 line vty 5 15 password 7 104D000A0618
Based on this, my conclusion is that the “security password min-length” command is applied when changing or setting a password through the normal mechanisms. It does effectively stop some type 7 passwords from being set when attempting to enter them in their type 7 format. However this behavior is not completely consistent. Additionally, this command does not effect passwords stored locally for fulfilling remote authentication requests when prompted by a remote device. It is also worth noting that type 7 local usernames with a “too short” password will not be merged into running config after a reboot. Therefore, care must be taken when adding the minimum length criteria on a production system.
Additional Recommended Reading–
CCNA Security 640-554 Official Cert Guide (Official Certificate Guide)
