Best Practices
- The enable password command should no longer be used. Use enable secret instead.
- username joeblow password mypass command should no longer be used. Use username joeblow secret mypass instead.
- Type 4 Passwords should never be used!
- Type 9 encryption is more resource intensive than Type 8, and both are more intensive than Type 5 (but all operate on an 8xx router fine)
- Use Type 9 if you are able to. If the IOS you have does not support Type 9 then use Type 7.
Cisco Password Type’s
Type 4
Cisco created Type 4 around 2013 in an attempt to strengthen password, unfortunately the attempt was severely flawed and resulted in a hash that was weaker than a Type 5 MD5. See the PSIRT below.
Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
Type 5
These use a very simple MD5 hashing algorithm. These are easily reversible with tools on the internet. These should only be used if Type 9 is not available on the IOS version you are running.
Type 7
These use the Vigenere cipher, a very simple algorithm that was cracked in 1995. These are easily reversible with tools on the internet. These should never be used.
Type 8
Type 8 passwords are what Type 4 was meant to be, PBKDF2, SHA-256, 80 bit salt, 20,000 iterations. While this is good, it is still vulnerable to brute forcing since AES is easy to implement in graphics cards. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.
Type 9
These use the SCRYPT hashing algorithm SCRYPT, 80 bit salt, 16384 iterations. It’s expensive to run the algorithm and therefore currently the Best Practice Type password to use. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.
Please rate or comment to help make this document better!
