Skip to content

Ensure password complexity check is enabled

High

Explanation

This ensures that all new passwords meet the basic requirements for strong passwords.

Rationale

Password complexity recommendations are derived from the USGCB (United States Government Configuration Baseline), Common Weakness Enumeration, and benchmarks published by the CIS (Center for Internet Security). Password complexity adds entropy to a password, in comparison to a simple password of the same length. A complex password is more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. However, making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex.

Impact

Simple passwords make an attacker's job very easy. There is a reasonably short list of commonly used admin passwords for network infrastructure, not enforcing password lengths and complexity can lend itself to making an attacker's brute force attack successful.

Resolution

  1. Go to Administration > Admin and user settings > Administrator password complexity settings.
  2. Enable Enable password complexity check.
  3. Configure the various password settings to values that are appropriate to your organization. It is recommended that there should be at least one uppercase and one lowercase letter, at least 1 numeric character, at least 1 special character, and that the minimum password length is 12. Operationally, dictionary words should be avoided for all passwords - passphrases are a much better alternative.
  4. Click Apply.