As of IOS 12.3(1), Cisco introduced support for enforcing a minimum number of password characters and sending a syslog message after a specified number of failed login attempts. Enabling these commands will help banks comply with regulations and their own policies as well as improve the security of their Cisco IOS devices. I have not found similar commands for CatOS or PIX OS yet. [more]
security passwords min-length <length>
-
global command that sets the minimum password length for user, enable, and line passwords.
-
Default is six, but it should be configured according to bank policies.
security authentication failure rate <threshold-rate> log
-
global command that sets the number of failed login attempts (without at least a 15-second delay) before a syslog message is generated
-
Threshold value can be 2-1024. A value of 1 will not generate any syslog messages. Default is 10, but should comply with bank policies.