Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

Understanding the differences between the Cisco password \ secret Types

Labels:
33618
Views
20
Helpful
2
Comments
Tim Glen
Beginner
‎07-14-2016 01:40 PM
edited on: ‎03-01-2019 ‎05:07 PM

Best Practices

  • The enable password command should no longer be used. Use enable secret instead.
  • username joeblow password mypass command should no longer be used.  Use username joeblow secret mypass instead.
  • Type 4 Passwords should never be used!
  • Type 9 encryption is more resource intensive than Type 8, and both are more intensive than Type 5 (but all operate on an 8xx router fine)
  • Use Type 9 if you are able to.   If the IOS you have does not support Type 9 then use Type 7. 

Cisco Password Type’s

Type 4

Cisco created Type 4 around 2013 in an attempt to strengthen password, unfortunately the attempt was severely flawed and resulted in a hash that was weaker than a Type 5 MD5. See the PSIRT below.
Cisco IOS and Cisco IOS XE Type 4 Passwords Issue

Type 5

These use a very simple MD5 hashing algorithm. These are easily reversible with tools on the internet. These should only be used if Type 9 is not available on the IOS version you are running. 

Type 7

These use the Vigenere cipher, a very simple algorithm that was cracked in 1995. These are easily reversible with tools on the internet. These should never be used. 

Type 8

Type 8 passwords are what Type 4 was meant to be, PBKDF2, SHA-256, 80 bit salt, 20,000 iterations. While this is good, it is still vulnerable to brute forcing since AES is easy to implement in graphics cards. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.

Type 9

These use the SCRYPT hashing algorithm SCRYPT, 80 bit salt, 16384 iterations. It’s expensive to run the algorithm and therefore currently the Best Practice Type password to use. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.

Please rate or comment to help make this document better!

Comments
kopec2111
Beginner
Beginner
‎06-21-2019 02:53 PM
‎06-21-2019 02:53 PM
What is the first IOS to support Type 9 hashing?
ndemers
Cisco Employee
Cisco Employee
‎07-21-2020 01:07 PM
‎07-21-2020 01:07 PM

Trying to find history of Type 6,8,9 introduction into IOS and IOS-XE.

Main Question : At what point was Type 8 introduced into IOS/IOS-XE code? Some of these features dont support type 8 or 9

 

Feature Password Type 6 Password Type 7 Password Type 8 Password Type 9
line con        
line vty        
bgp neighbor        
aaa group server        
tacacs-server        
radius-server        
username        
ldp neighbor        
ISIS neighbor        
snmpv3 community string?        
keychain        

 

 

For reference the command  enable algorithm-type has a history but not the supported algorithms:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514

 

enable algorithm-type

To set the algorithm type to hash a user password configured using the enable secret command, use the enable algorithm-type command in global configuration mode. To remove the algorithm type, use the no form of this command.

enable algorithm-type {md5 | scrypt | sha256}

no enable algorithm-type {md5 | scrypt | sha256}
Syntax Description
md5 	

Selects the message digest algorithm 5 (MD5) as the hashing algorithm.
scrypt 	

Selects scrypt as the hashing algorithm.
sha256 	

Selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-256) as the hashing algorithm.
Command Default

No algorithm type is defined.
Command Modes

Global configuration (config)
Command History
Release 	Modification  15.3(3)M3
This command was introduced.  15.5(1)S
This command was integrated into the Cisco IOS Release 15.5(1)S.

 

 

Latest Contents
Topologie incomplète CNA
Created by Klimtica11 on 05-06-2021 03:09 AM
0
0
0
0
Bonjour, dans l’entreprise sur l’utilisation du réseau Cisco assistant version 6.3 , je voulais voir quel port du switch principal du réseau, est connecté avec un autre switch et on voit pas le lien de connexion avec un autre groupe des switch. Ces deux s... view more
Command question of spanning-tree vlan 1 root primary & seco...
Created by he2413297250214 on 05-05-2021 11:44 PM
2
5
2
5
Hi, I'm practicing spanning tree protocol with packet tracer and was confused about spanning-tree vlan 1 root primary/secondary this two commands how it usually works.I've set up two switches(2960-24TT) and link them together through G0/1-2 on each s... view more
SD-WAN Port aggregation
Created by MartinJ1 on 05-05-2021 10:13 PM
0
0
0
0
hi, 1) Can we aggregate LAN ports (service interfaces) in a Cisco SD-WAN router ? 2) Can we configure the LAN ports as trunk in an SD-WAN router? Thanks in advance.  
%SYSLOG-6-SYSTEM_MSG : Logfile wrapped-around after exceedin...
Created by SR70982 on 05-05-2021 08:33 PM
1
0
1
0
Hi, Observing these logs %SYSLOG-6-SYSTEM_MSG : Logfile wrapped-around after exceeding max-size   on the nexus device Can anyone advise what are the reasons for this appearance . I believe this may be the designed behavior but jus... view more
IOS Upgrade 3850-48T 03.03.03SE to 6.03.09
Created by Alan.A on 05-05-2021 08:06 PM
4
0
4
0
I'm in the process of upgrading all of our 3850 switches from 03.06.08E to 16.03.09, so far everything are going smooth.I noticed in one of our 3850 the current image is 03.03.03SE(License Level: Ipservices), Can I upgrade it also to 16.03.09 directly? (T... view more
Content for Community-Ad