Cisco IOS Password Length and Failed Login Messages

As of IOS 12.3(1), Cisco introduced support for enforcing a minimum number of password characters and sending a syslog message after a specified number of failed login attempts.  Enabling these commands will help banks comply with regulations and their own policies as well as improve the security of their Cisco IOS devices.  I have not found similar commands for CatOS or PIX OS yet. [more]

security passwords min-length <length>

  • global command that sets the minimum password length for user, enable, and line passwords.
  • Default is six, but it should be configured according to bank policies.

security authentication failure rate <threshold-rate> log

  • global command that sets the number of failed login attempts (without at least a 15-second delay) before a syslog message is generated
  • Threshold value can be 2-1024.  A value of 1 will not generate any syslog messages.  Default is 10, but should comply with bank policies.