Traditionally Cisco has used several different methods for storing passwords and keys in IOS. The older methods are Type 5 (MD5 hash) & Type7 (Vigenere obfuscation). We enabled Type 7 encryption with the CLI service password-encryption command.
There are some newer methods like Type 8 (SHA256) and Type 9 (SCRYPT). At this time my recommendation is to never use Type 5 or Type 7 and absolutely do not EVER use Type 4.
Today in 2021 the recommendation is to use Type 6, Type 8 and Type 9. Type 6 use strong AES 128-bit encryption for storing passwords. If you interested in the details for Types 0,4,5,6,7,8,9 please check out this other document I wrote. I’d like to make a counting joke here but I won’t.
Note: Using Type 6 has been supported since 2006, IOS 12.3(2)T and possibly earlier!
For a detailed explanation of each password type please see this document I wrote.
In this example I’m working with devices that have reset to factory defaults.
Catalyst 9300 with IOS XE 17.3(3)
Any device that runs modern IOS XE should support Type 6
The super-secret-password you used is very important. It's very important that you store the key somewhere offline. Be sure to keep in it KeePass, or 1Password or the password vault of your choice. Optimally each device you configure Type 6 on will have a unique Key.
Changing the Password
There shouldn’t be too many reasons to change the password key. However, if you have the old password key, changing it is an easy task with no negative effects.
These need to be reviewed \ changed.
Look into running config for Type 7 Passwords
show running-config | include _7_
Look into running config for Type 5 Passwords
show running-config | include _5_
These are safe to use.
Look into running config for Type 6 Passwords
show running-config | include _6_
Look into running config for Type 8 Passwords
show running-config | include _8_
Look into running config for Type 9 Passwords
show running-config | include _9_
Q: Should we leave service password-encryption in the config?
A: Yes, while it shouldn’t be needed because we’ve enabled Type 6 passwords, leaving service password-encryption in the running config will cause any non-Type 6 supported passwords to be obfuscated instead of being stored in the clear.
Q: Should I store the key ?
A: YES, the key should DEFINITELY be stored. In the event that you need to move this devices config to a new device you will need the key.
Q: What passwords will be converted?
A: According to my tests the following passwords and password types will be converted:
TACACS server keys (previously in Type 7)
RADIUS server keys (previously in Type 7)
vty login passwords (previously in Type 7)
Q: What password types will NOT be converted?
A: According to my tests the following passwords and password types will be NOT be converted:
enable secret 9
Q: Can you revert to non-Type 6 passwords?
A: Reverting to non-Type 6 is a manual process.
First, identify all type 6 passwords
no password-encryption aes
Then, revert each of the previously identified Type 6 and reconfigure.
Q: What happens if I need to change the password encryption key?
A: This is typically not needed, however, if you still have the password, good, no problem! Just change it, see the above example.
Q: What happens if I lose the password encryption key?
Q: What happens if I lose the password encryption key and need to change the password encryption key?
A: I'd call Cisco TAC
Q: Where should I look for changes in the running-config?
A: Typically, I’ve seen Type 5 and Type 7 passwords in the following places:
username kashvi password …
BGP peer password
MKA preshared key
Q: Can I implement password encryption aes on an existing switch?
A: Yes, of course! Please use the verification commands above to assure that all of your legacy passwords especially Type 5 and Type 7 are converted to the newer Type 6.
Q: I’m deploying a new switch \ router, how should it be configured?
A: Use the configuration script above right from the start. There is no need to use service password-encryption.
Q: In the event I need to use Type 8 or Type 9 which is more secure?
A: Both Type 8 and Type 9 are secure, feel comfortable using either.
Q: I don’t see key config-key password-encrypt in the running config…
A: Yes, you shouldn’t. Keeping the key in clear text would be insecure as it may provide a means to decrypt the passwords. The key is stored in a partition that is not accessible by the administrator.
Q: Can I configure Type 6 encryption on my router if my BGP, OSPF, EIGRP peer router doesn’t support it.
A: Yes! Because the routing protocol’s process on your router will decrypt the password before using it with the peer this should not be a problem.
Q: Should I be using enable password or enable secret?
A: Definitely use enable secret. If both are configured only enable secret is used.
I am pretty new to all things Cisco so apologies for any dumb questions or inability to grasp basic concepts. Trying to set up a cisco router, C897VA-K9, and need to assign outbound ip addresses and direct inbound traffic. outbound ip addresses: for ...
I'm connecting an interface off of a firewall onto port 41 of a 2960x running 15.0(2)EX5 with a very generic configuration: interface GigabitEthernet0/41switchport access vlan 200switchport mode access When I issue a "show mac address-t int...
Port 47 on a brand new C9400-LC-48U module is not supplying POE, it does support a network connection. "sh power inline g5/0/47" does not show any issues. It is the same as other ports on the card. We have not tried every port on the module, but the devic...