6.4. Password Policies and Alternatives
💡 First Principle: An attacker doesn't need to exploit vulnerabilities when they can guess passwords. Dictionary attacks try "password123," "admin," and "CompanyName2024" in seconds. Without policies forcing better behavior, users choose predictable passwords that attackers can crack—and weak authentication renders all other security controls meaningless.
Consider this attack scenario: An attacker finds your VTY lines exposed to the internet (misconfiguration). They run a dictionary attack with common passwords. With no lockout policy, they try 10,000 passwords per minute. "cisco" works on attempt 47. Now they have enable access to your router. One weak password, one open door—game over.
What happens without password policies: People choose "password123", reuse passwords across systems, and write them on sticky notes. Each missing policy element is an exploit waiting to happen: no lockout means unlimited brute-force attempts; no expiration means a compromised password stays valid forever; no complexity means dictionary attacks succeed.
Password Policy Elements:
| Element | Best Practice | Why It Matters |
|---|---|---|
| Length | Minimum 12 characters | Longer = exponentially harder to crack |
| Complexity | Upper, lower, number, symbol | Defeats dictionary attacks |
| History | Prevent reuse of last 10 | Stops password recycling |
| Lockout | Lock after 5 failed attempts | Blocks brute-force attacks |
Password Alternatives:
Passwords have fundamental weaknesses—alternatives remove the human factor:
| Alternative | How It Works | Trade-off |
|---|---|---|
| MFA | Something you know + have + are | More secure but more friction |
| Certificates | PKI-based; device presents cert | No passwords to steal, but complex to manage |
| Biometrics | Fingerprint, face recognition | Can't be shared, but can't be changed if compromised |