Back when the Internet was born it was primarily used by academics and Universities and the Internet was not perceived as a place of threats, so simple passwords were used.
But as always happens when you have something great and let humans access it, a small minority try to cause grief. So "type 7" passwords came into life.
Then came Type 5 passwords. A big improvement. This was based on the Unix password storage system. The passwords are salted (this basically means extra random information is added so that you can't use a simple encrypted password lookup table (called a rainbow table) to get back the plain text password, and then MD5 is run over the result 1000 times with a little of bit magic happening at each iteration.
All was well with the world for quite some time, but then Moore's law kicked in. And we had so much CPU power that MD5 hashing became too weak.
There was also another fundamental problem. Hashes, like MD5, SHA1, SHA256, etc, are intended to detect modification of the encrypted data. Or to put it another way, hashes allow you to detect when someone has tampered with the data. Hashes were never intended to be used for actual password storage. Hashes were used because they were common - but it seems mis-understood.
Then came an abortion, type 4 passwords. This was meant to be an implementation of PBKDF2. But there was an accident. Cisco's implementation "forgot" to add a salt, and used only a single iteration of SHA256. Under no circumstances should this be used. You are better of using a type 5 password.
Then came type 8 passwords using PBKDF2, but implemented properly. This was a huge step forward. It uses 20,000 iterations of SHA256. I consider PBKDF2 very good, but I don't use it. Basically it relies on using lots of iterations of SHA256 to provide the security. I don't use it because it is primarily SHA256 based - once again something designed to detect changes in the original data - not for storing passwords.
Type 9 - Use Me!
And lastly came type 9 passwords using scrypt. script does use SHA256, but it is just a small part of a much larger crypto algorithm - and for the first time in a very long time in the history of passwords, it was purpose built to store passwords. At last!
scrypto is hellishly CPU intensive. So you can't just do a brute force attack (at least not on a reasonably complex password). It needs a good dob of memory for password encryption. When you are only encrypting one password you won't notice it. However it means it is hard to use a GPU or hardware ASIC to do password breaking in parallel because all those these kinds of devices have lots of compute cores they don't have enough RAM to be able to use them. scrypt has been deliberately designed to make it difficult to decrypt in parallel.
So now we have a super strong, purpose designed password storage algorithm. The question is why wouldn't you use it?
To create an enable password using it simply use the "algorithm-type scrypt" option.
We are screwed. Quantum computing is going to turn the world of encryption on its head. We have maybe 10 years.
There is no long term future for passwords. We need something completely different. Maybe a DNA print, but humans are 99.5% similar, so perhaps not. I suspect it will be something that does not exist at this point in time.
Maybe you can solve the problem, and become the future savour of computer security.
Hi AllI'm trying to setup Guest Self Registration Portal. I wanted to have the WLC Radius Requests handled by a PSN in the Secure Zone while the Portal redirection goes to another PSN in the DMZ.As a result ISE throws a “400 Bad Request” to the clien...
Hi Guys Hope all safeI just enabled Accounting on my Devices , Routers , Switches , Firewall , WLC , APshow can i trace the user's Activity's to a log file on Cisco ISE ThanksIbrahim #stayhome,StayConnected,staysafe
We are in the process of planning the upgrade of our deployment which consists of 2xAdmin,2xMonitoring and 4xServices nodes all SNS-3595-K9.As this is our first attempt doing an ISE upgrade , we are reviewing all the different methods to do it to determin...
I have a request to authorize the ios command : show run | section exclude aaa | username | eventand to deny the "show run" command.I have created a Tacacs command set with PERMIT enable, exit, traceroute and grant : PERMIT command :...
Hi,In the current software is it possible to allow more than one concurrent login from the same user account? It isn't allowed by default, the second login can only go ahead if he kicks the other one off. And I can't see anywhere obvious...