cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3267
Views
2
Helpful
2
Replies

Did you choose password type 8 or 9?

waddealister
Level 1
Level 1

We aren't required to follow a certain direction, but I know 2 years ago NSA & NIST essentially said use 8 because 9 wasn't yet vetted. Cisco had or does recommend type 9. What did you go with?

Finally upgrading from the ones you can just paste and see online. From quick testing, it looks like just using command, "username <user> algorithm-type sha256 secret <pass>" would be the safest way to overwrite the old user of the same name but with the better protection with no downside of it accidentally being cleared first but then not supporting the command such as in the case of old switches

2 Replies 2

@waddealister the link below is a Cisco guide comparing the different types

https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

Q: Which is most secure, Type 6, 8 or 9?

A: This is debatable. Since Type 8 & 9 are one-way hashes they could be considered the most secure. However, I believe popular tools are able to brute force Type 8 & 9 and I’m not sure if Type 6 can be brute forced… yet.  

Hey @Rob Ingram & @waddealister 

Rob, thanks for pointing to my doc! Cool seeing you in Amsterdam and I wish we had more time to talk. 

Both Type 8 SHA256 and Type 9 SCRYPT are secure and, to date in 2024, I haven't heard about any successful attacks on Type 8 (SHA256) or Type 9 (SCRYPT), even though some popular tools posit attacks. 

In IOS XE the default is Type 9 but personally, I prefer to use Type 8.

A good auditor may ding you for using Type 9 because its not NIST approved especially in the US Defense \ Public Sector. 

From quick testing, it looks like just using command, "username <user> algorithm-type sha256 secret <pass>"

Yes, that sounds like an excellent method of replacing either Type 7 (obfuscation) or Type 9 (SCRYPT hash).

Pro Tip: when reconfiguring these, think about adding a Common Criterial Policy as well!  This allows you to set password strength requirements (upper, lower, special chars & more)  and ensures that your passwords follow those req's. 

You can automate this with Ansible as well!  I presented this at Cisco Live recently and here is the Guide \ Playbooks. 
https://github.com/timmayg/clemea2024-devwks-2008/blob/main/02-Local_Auth.md

Hope this helps and if you have questions let me know. 

Tim

 

Review Cisco Networking for a $25 gift card