Check: CISR-ND-000061
Cisco IOS XE Release 3 NDM STIG:
CISR-ND-000061
(in versions v1 r5 through v1 r4)
Title
If multifactor authentication is not supported and passwords must be used, the CCisco IOS XE router must require that when a password is changed, the characters are changed in at least eight of the positions within the password. (Cat II impact)
Discussion
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
Check Content
Verify that the Cisco IOS XE router is configured to use complex passwords. The configuration should look similar to the example below: aaa common-criteria policy PASSWORD_POLICY min-length 15 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 8 If the use of complex passwords is not configured, this is a finding.
Fix Text
Use the following commands to configure password complexity: aaa common-criteria policy PASSWORD_POLICY min-length 15 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 8
Additional Identifiers
Rule ID: SV-88695r2_rule
Vulnerability ID: V-74021
Group Title: SRG-APP-000170-NDM-000329
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |