https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400750#M902297 <P>It sounds like, from this question and the other one you posted, that you've been audited or are preparing for an audit. It would be better if you learned some of the fundamentals and best practices rather than asking specific questions out of context.</P> <P>&nbsp;</P> <P>In any event, ASA passwords since 9.7 can use a stronger pbkdf2 algorithm for hashing local passwords. Details are here:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076</A></P> <P>&nbsp;</P> <P>IOS devices should be setup to use type 9 (where possible - vs. type 5 or 7) user passwords and "enable secret" passwords. If type 8/9 are not supported on your IOS then type 5 is the next-preferred method.</P> <P>&nbsp;</P> <P><A href="https://learningnetwork.cisco.com/thread/86911" target="_blank">https://learningnetwork.cisco.com/thread/86911</A></P> Sun, 17 Jun 2018 07:25:19 GMT Marvin Rhoads 2018-06-17T07:25:19Z https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400744#M902235 <P>I need to implement strong encryption algorithm for Cisco IOS and ASA firewalls. How do I achieve this?</P> Fri, 21 Feb 2020 15:53:26 GMT https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400744#M902235 avilt 2020-02-21T15:53:26Z https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400750#M902297 <P>It sounds like, from this question and the other one you posted, that you've been audited or are preparing for an audit. It would be better if you learned some of the fundamentals and best practices rather than asking specific questions out of context.</P> <P>&nbsp;</P> <P>In any event, ASA passwords since 9.7 can use a stronger pbkdf2 algorithm for hashing local passwords. Details are here:</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/aaa-local.html#ID-2114-00000076</A></P> <P>&nbsp;</P> <P>IOS devices should be setup to use type 9 (where possible - vs. type 5 or 7) user passwords and "enable secret" passwords. If type 8/9 are not supported on your IOS then type 5 is the next-preferred method.</P> <P>&nbsp;</P> <P><A href="https://learningnetwork.cisco.com/thread/86911" target="_blank">https://learningnetwork.cisco.com/thread/86911</A></P> Sun, 17 Jun 2018 07:25:19 GMT https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400750#M902297 Marvin Rhoads 2018-06-17T07:25:19Z https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400949#M902300 <P>When I define users on IOS/ASA, is it possible to hide/encrypt the username in the running config?</P> <P>&nbsp;</P> <P>username Abc privilege 15 secret 5 $XXXXXXXXXXXXXXXXXXXXXXXXX</P> Mon, 18 Jun 2018 06:04:47 GMT https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3400949#M902300 avilt 2018-06-18T06:04:47Z https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3401074#M902307 Hi, I don't believe it's possible to hide/encrypt a local user account in the running configuration. <BR /><BR />What a lot of organizations do is implement an external aaa server (tacacs+ or radius) which stores the user accounts/passwords in a remote database (therefore not stored on the local router/switch). Mon, 18 Jun 2018 12:14:46 GMT https://community.cisco.com/t5/network-security/ios-password-encryption-algorithm/m-p/3401074#M902307 Rob Ingram 2018-06-18T12:14:46Z