although I think it is a good thing to force the management of passwords and communities, this can lead to heavy interventions on the management of an existing network.
For example, modify of a community must be done on the device, management software, monitoring, etc. etc.
Can we ask to rethink, before the final version, to review the mandatory implementation of these rules?
I think what is meant that if these are currently set to non-default, do not force the change since the operator has already made the required changes.
Changes I would prefer over the current security measures:
For SNMP, setup an authorized IP subnet where snmp request should come from and drop all other requests not from that subnet.
Webpage access requires more than simple long passwords, if you are not providing a banning method with reporting then it is still just a matter of time before the password is cracked. Longer passwords will take longer but the lack of control and active reporting makes this useless in terms of security. Having an ACL of sorts or a system similar to the old DenyHosts system would actually prevent unauthorized access.