Cisco ISR 4000 series Configuration Manual page 27

Cisco ISR 4000 Family Routers Administrator Guidance
Note: Details for the security passwords min-length command can be found in the: [8]
Under Reference Guides  Command References  Security and VPN  See manual
Cisco IOS Security Command Reference: Commands S to Z.
2. Composed of any combination of characters that includes characters for at least 3 of these
four character sets: upper case letters, lower case letters, numerals, and the following
special characters: "!", "@", "#", "$", "%", "^", "&", "*", "(", ")". Configure the router
to enforce that complexity requirement by using enabling "aaa password restriction".
Example: TOE-common-criteria (config)# security passwords min-length 15
Enabling aaa password restriction will also enforce the following restrictions:
1. The new password cannot have any character repeated more than three times consecutively.
2. The new password cannot be the same as the associated username.
3. The password obtained by capitalization of the username or username reversed is not
accepted.
4. The new password cannot be "cisco", "ocsic", or any variant obtained by changing the
capitalization of letters therein, or by substituting "1", "|", or "!" for i, or by substituting
"0" for "o", or substituting "$" for "s".
Note: The aaa password restriction command can only be used after the aaa new-model
command is configured. [8] Under Reference Guides  Command References  Security and
VPN  See manual Cisco IOS Security Command Reference: Commands A to C.
The following configuration steps are optional, but recommended for good password complexity.
The below items are recommended but are not enforced by the TOE:
1. Does not contain more than three sequential characters, such as abcd
2. Does not contain dictionary words
3. Does not contain common proper names
Administrative passwords, including any "enable" password that may be set for any privilege level,
must be stored in non-plaintext form. To have passwords stored as a SHA-256 hash, use the
"service password-encryption" command in config mode.
TOE-common-criteria (config)#service password-encryption
Once that service has been enabled, passwords can be entered in plaintext, or has SHA-256 hash
values, and will be stored as SHA-256 hash values in the configuration file when using the
"username" command.
TOE-common-criteria (config)#username name {password password | password encryption-
type encrypted-password}
Whether or not "service password-encryption" has been enabled, a password for an individual
username can be entered in either plaintext or as a SHA-256 hash value, and be stored as a SHA-
256 hash value by using the following command:
Page 27 of 66