`password complexity`

Syntax

password complexity

no password complexity

Description

Enters the password-complexity context (shown in the switch prompt as config-pwd-cplx) for the purpose of enabling and configuring password complexity. Password complexity enhances security by enforcing specific password complexity requirements. Password complexity is disabled by default and must be enabled by execution of the enable command.

The no form of this command reverts all settings to their default values and disables password complexity enforcement.

NOTE:

To ensure that enhanced security is maintained, it is recommended that you do not set any values to less than their defaults.

NOTE:

Password complexity apples only to local authentication. For remote authentication, you may choose to set up an equivalent of password complexity according to whatever is supported on your particular TACACS+ or RADIUS server.

Command context

config

Subcommands

These subcommands are available within the password complexity context (shown in the switch prompt as config-pwd-cplx).

enable

Enables password complexity enforcement. The enforcement only applies to passwords created after this enabling. Existing passwords are not checked against password complexity.

disable

Disables password complexity enforcement.

[no] history-count <COUNT>

Specifies the number of previous passwords checked to prevent excessive reuse. Not applicable when adding new users. The no form of this subcommand resets the value to its default. Default: 5. Range: 1 to 5.

[no] minimum-length <LENGTH>

Specifies the minimum password length. The no form of this subcommand resets the value to its default. Default: 8. Range: 1 to 32.

[no] position-changes <POSITIONS>

Specifies the minimum number of characters that must change in the new password compared to the previous password. Not applicable if no previous password exists, including when adding new users. The no form of this subcommand resets the value to its default. Default: 8. Range: 1 to 32.

The number of password position changes is based on the number of simple character insertions, deletions, or replacements. For example:

Old password: abCD4$ New password: abCD$    Position changes=1 ("4" deleted)
Old password: abCD4$ New password: abCDEF4$ Position changes=2 ("EF" inserted)
Old password: abCD4$ New password: ebCD4$1  Position changes=2 ("a"replaced with "e," "1" added)
Old password: abCD4$ New password: abC$#    Position changes=3 ("D4" deleted, "#" added)

[no] lowercase-count <COUNT>

Specifies the minimum lowercase character count for new passwords. The no form of this subcommand resets the value to its default. Default: 1. Range: 0 to 32.

[no] uppercase-count <COUNT>

Specifies the minimum uppercase character count for new passwords. The no form of this subcommand resets the value to its default. Default: 1. Range: 0 to 32.

[no] numeric-count <COUNT>

Specifies the minimum numeric digit count for new passwords. The no form of this subcommand resets the value to its default. Default: 1. Range: 0 to 32.

[no] special-char-count <COUNT>

Specifies the minimum special character count for new passwords. The no form of this subcommand resets the value to its default. Default: 1. Range: 0 to 32.

list

List the subcommands available within the password complexity context.

exit

Exits the password complexity context.

end

Exits the password complexity context and then the config context.

Authority

Administrators

Usage

Password complexity is only for use with plaintext passwords. With password complexity enabled, existing ciphertext passwords will continue working until a password is changed. All new passwords must be entered in plaintext form and be compliant with your password complexity configuration.
The effective minimum password length may be larger than the configured minimum-length value. The effective minimum password length is calculated as follows:
```
LARGEST-of:(minimum-length, position-changes,
            (SUM-of:lowercase-count+uppercase-count+numeric-count+special-char-count))
```
For example, with minimum-length=8, and position-changes=10 (and the sum of the other four count settings <=9), the effective minimum-length is 10 (because position-changes is largest). Similarity, with a minimum-length=12, position-changes=8, lowercase-count=8, uppercase-count=4, numeric-count=1, special-char-count=1, the effective minimum-length is 14 (8+4+1+1=14) (because sum off the four counts is largest).

Examples

Configuring password complexity settings with an effective minimum length of 10 (because position-changes is 10):

switch(config)# password complexity
switch(config-pwd-cplx)# history-count 3
switch(config-pwd-cplx)# minimum-length 8
switch(config-pwd-cplx)# position-changes 10
switch(config-pwd-cplx)# lowercase-count 2
switch(config-pwd-cplx)# uppercase-count 2
switch(config-pwd-cplx)# numeric-count 2 
switch(config-pwd-cplx)# special-char-count 2
switch(config-pwd-cplx)# enable
switch# exit

Configuring password complexity settings with an effective minimum length of 14 (because the sum of the four count items is 14):

switch(config)# password complexity
switch(config-pwd-cplx)# history-count 4
switch(config-pwd-cplx)# minimum-length 12
switch(config-pwd-cplx)# position-changes 8
switch(config-pwd-cplx)# lowercase-count 8
switch(config-pwd-cplx)# uppercase-count 4
switch(config-pwd-cplx)# numeric-count 1 
switch(config-pwd-cplx)# special-char-count 1
switch(config-pwd-cplx)# enable
switch# exit

Enabling password complexity (with default settings) and changing a user (admin1) password successfully but failing to change another user (admin2) password due to not meeting complexity requirements:

switch(config)# password complexity
switch(config-pwd-cplx)# enable
switch(config-pwd-cplx)# exit
switch(config)#
switch(config)# user admin1 password
Changing password for user admin1
Enter old password:************
Enter new password:************
Confirm new password:************
switch(config)#
switch(config)# user admin2 password
Changing password for user admin2
Enter old password:************
Enter new password:************
Confirm new password:************
User password not changed.
The new password does not meet one or more of the following complexity requirements:
Minimum length          : 8
Position changes        : 8
Numeric count           : 1
Lowercase count         : 1
Uppercase count         : 1
Special character count : 1
switch(config)#

With password complexity already enabled, attempting to change an existing user password but failing because the new password is identical to a recently used one (history-count).

switch(config)# user admin1 password
Changing password for user admin1
Enter old password:************
Enter new password:************
Confirm new password:************
User password not changed.
The new password is the same as a recently used password.
switch(config)#

With password complexity already enabled, creating a new admin user (admin3) with a plaintext password that meets complexity requirements.

switch(config)# user admin3 group administrators password
Adding user admin3
Enter password:************
Confirm password:************
switch(config)#

With password complexity already enabled, attempting to create a new admin user (admin4) with a ciphertext password but failing because ciphertext passwords are not supported with password complexity enabled.

switch(config)# user admin4 group administrators password ciphertext AQBapPd...==
Ciphertext passwords cannot be used when password complexity is enabled.
switch(config)#