Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6339
Views
5
Helpful
3
Replies

ASA5515X: md5 hash for local passwords

holger.weinel1
Level 1
Level 1

‎05-16-2017 11:39 PM - edited ‎03-12-2019 02:22 AM

Hi,

the CSO of our Company note that the Password localy saved in Firewall configuration are saved with a md5 hash.

Serveral sites at the Internet provide the possibility to decrypt passwords encrypted with those unsecure hashing algorithems.

Firmware: Cisco Adaptive Security Appliance Software Version 9.5(3)6

Hardware: ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC

I did find a hardeníng guide under

This guide contains the following note:
"... ASA uses Message Digest 5 (MD5) for Password hashing."
Is there no possibilty to use secure hash algorithems such as SHA512 for Password hashes locally stored at the startup-config?

Kind regards

Holger Weinel

1 person had this problem
Labels:
Preview file
117 KB
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2017 01:11 AM

ASA 9.7(1) introduced PBKDF2 hashing for local passwords.

PBKDF2 hashing for all local username and enable passwords

Local username and enable passwords of all lengths are stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32 characters and shorter used the MD5-based hashing method. Already existing passwords continue to use the MD5-based hash unless you enter a new password. See the "Software and Configurations" chapter in the General Operations Configuration Guide for downgrading guidelines.

We modified the following commands: enable password, username

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

You should also be using centralized authentication (which prevents use of local credentials unless there is no access to your AAA server) and restricting management access to the ASA to trusted interfaces (so that any attack would have to come from an insider vs. any random script launched against your public IP).

blukens07
Level 4
Level 4
In response to Marvin Rhoads

‎12-06-2017 11:30 AM

I am trying to find out what SHA type that the PBDKF2 hashing is using for local password storage on the ASA's. I want to make sure that its a high level of encryption. I don't see this discussed in any documents. Anyone?

0 Helpful

williopoulos@gmail.com
Level 1
Level 1

‎06-03-2020 07:30 AM

Dear Community,

 

Following on in this thread I am encountering an interesting problem:-

 

My newly created usernames have their passwords stored in the config as pbkdf2 passwords.

 

However, when I try to login via SSH using one of these new usernames I get "Access Denied" errors.

 

In troubleshooting this problem I have copied the username config from another device using the "encrypted" flag on the password.

When using this "encrypted" username and it's associated password all works fine.

 

Does anybody else have any experience with this type of behavior?

 

Thanks

Andrew

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card