Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
20
Helpful
2
Replies

PW encryption

Go to solution
RobHawkz
Level 1
Level 1

‎04-18-2020 04:33 PM

I have a newbie question for you. 

I understand the "service password-encryption" is very weak but is there a more secure option for passwords?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7

‎04-18-2020 09:37 PM - edited ‎04-18-2020 09:37 PM

Hi,

Use "secret" (5) instead of "password" (0/7) whenever possible.
username XXX password YYY
username XXX secret YYY

 

enable password XXX

enable secret YYY

Type-5 is hashing, which is non-revertible.
Type-7 is encryption/encoding, which revertible. (service password-encryption)
Type-0 is simply clear text.

However, not all password related command support type-5 encryption.
For example: tacacs-server key {0 string | 7 string | string}

So, be aware when you try to export the "show run" output and send to others. Examine any sensitive data even you have enabled "service password-encryption".


View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎04-18-2020 11:58 PM

Using password gives you near to no security, and "secret" alone is not considered secure any more as it uses the very weak MD5 hashing. If your equipment is not completely outdated, the better way is to specify the algorithm as sha256 or script:

rtr(config)#username TEST algorithm-type ?
  md5     Encode the password using the MD5 algorithm
  scrypt  Encode the password using the SCRYPT hashing algorithm
  sha256  Encode the password using the PBKDF2 hashing algorithm

rtr(config)#username TEST algorithm-type scrypt ?
  secret  Specify the secret for the user

rtr(config)#username TEST algorithm-type scrypt secret ?
  LINE  The UNENCRYPTED (cleartext) secret for the user

View solution in original post

2 Replies 2

Go to solution
ngkin2010
Level 7
Level 7

‎04-18-2020 09:37 PM - edited ‎04-18-2020 09:37 PM

Hi,

Use "secret" (5) instead of "password" (0/7) whenever possible.
username XXX password YYY
username XXX secret YYY

 

enable password XXX

enable secret YYY

Type-5 is hashing, which is non-revertible.
Type-7 is encryption/encoding, which revertible. (service password-encryption)
Type-0 is simply clear text.

However, not all password related command support type-5 encryption.
For example: tacacs-server key {0 string | 7 string | string}

So, be aware when you try to export the "show run" output and send to others. Examine any sensitive data even you have enabled "service password-encryption".


Go to solution
Karsten Iwen
VIP
VIP

‎04-18-2020 11:58 PM

Using password gives you near to no security, and "secret" alone is not considered secure any more as it uses the very weak MD5 hashing. If your equipment is not completely outdated, the better way is to specify the algorithm as sha256 or script:

rtr(config)#username TEST algorithm-type ?
  md5     Encode the password using the MD5 algorithm
  scrypt  Encode the password using the SCRYPT hashing algorithm
  sha256  Encode the password using the PBKDF2 hashing algorithm

rtr(config)#username TEST algorithm-type scrypt ?
  secret  Specify the secret for the user

rtr(config)#username TEST algorithm-type scrypt secret ?
  LINE  The UNENCRYPTED (cleartext) secret for the user
Customers Also Viewed These Support Documents