Solved: Re: Migrating password types - from type 4 to type 8

afsharki2 · ‎07-08-2015

Hi everyone,

I am getting this message when rebooting my 3850:

%AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration but Type 4 passwords have been deprecated. Migrate to a supported password type

I read on Cisco's website(http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4) about the flaws of type 4 passwords. Does anyone know the full process(step-by-step) of migrating from type 4 password to type 8? I'm going to do this on my 3850 switch but not sure how to make all the modifications to the enable password, enable secret, username etc...

Thank you

Shawn Guertin · ‎07-08-2015

I'm sorry, I forgot one word in the command, it's:

username [NAME] privilege [0-15] algorithm-type [TYPE] secret [PASSWORD]

username bob privilege 15 algorithm-type scrypt secret cleartextpassword

Would show this in the RUN:

username bob privilege 15 secret 9 $9$gVNQgE5RM0DJwp$C8hRF1ak7gPVlRY4EaFOpkq.V/G9I1CNGQ17kR3j4WU

If you don't know the original password and just want tu update, well you can't, because the router does not know the original either, you have to enter the cleartext password as a secret in order to tell the router to encrypt it with the requested algorithm. If you enter the line as I told you, the router will take the cleartext password and will only store the processed encrypted output.

Try it with a test user and look at the run afterwards, you will see...

View solution in original post

Shawn Guertin · ‎07-08-2015

The way to force a password algorithm is:

username [NAME] algorithm-type [TYPE] secret [PASSWORD]

And, if you want to change the privilège (default is 15):

username [NAME] privilege [0-15] algorithm-type [TYPE] secret [PASSWORD]

There are tree types (considering type 4 was a fail and is not available anymore):

md5 Encode the password using the MD5 algorithm (number 5)
scrypt Encode the password using the SCRYPT hashing algorithm (number 9)
sha256 Encode the password using the PBKDF2 hashing algorithm (number 8)

You should read this befor chosing between 8 or 9:

http://crypto.stackexchange.com/questions/8159/what-is-the-difference-between-scrypt-and-pbkdf2

afsharki2 · ‎07-08-2015

For the [PASSWORD] at the end; would I just enter a standard password or would i have to encrypt it than enter the text? I would like to keep the same password..how do i do that?

Shawn Guertin · ‎07-08-2015

It's cleartext, like when creating a new user, try entering an "?" after any command to see the choices and definitions.

Here is a random example:

username bob algorithm-type scrypt secret 1-Am=BoB!

or

username bob algorithm-type sha256 secret 1-Am=BoB!

And, if you want to change the privilège (default is 15):

username [NAME] privilege [0-15] algorithm-type [TYPE] secret [PASSWORD]

afsharki2 · ‎07-08-2015

Ok, thanks. Since the password you entered is cleartext 1-Am=BoB! How do I make it not be clear, so people who do sh-run can't see it.

Shawn Guertin · ‎07-08-2015

I'm sorry, I forgot one word in the command, it's:

username [NAME] privilege [0-15] algorithm-type [TYPE] secret [PASSWORD]

username bob privilege 15 algorithm-type scrypt secret cleartextpassword

Would show this in the RUN:

username bob privilege 15 secret 9 $9$gVNQgE5RM0DJwp$C8hRF1ak7gPVlRY4EaFOpkq.V/G9I1CNGQ17kR3j4WU

If you don't know the original password and just want tu update, well you can't, because the router does not know the original either, you have to enter the cleartext password as a secret in order to tell the router to encrypt it with the requested algorithm. If you enter the line as I told you, the router will take the cleartext password and will only store the processed encrypted output.

Try it with a test user and look at the run afterwards, you will see...

afsharki2 · ‎07-13-2015

This does not work. It says that "ERROR: Can not have both a user password and a user secret.Please choose one or the other."

I forgot to mention to you: I already know the password and username. I do not want to change the password and username, I just want to change the algorithm type so it's not type 4 anymore. I want to keep everything the same; just change it type 8 or 9, so it's more secure.

Thanks

Thomas Zenz · ‎02-25-2019

Thank you for the Tipp.

How can I change the algoritm for the line passwords?

(config-line)#password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
<0-9> Encryption types not explicitly specified
LINE The UNENCRYPTED (cleartext) line password

(config)#service password-encryption ?
<cr> <cr>

Hershey1702 · ‎09-01-2020

Hello all,

When I try to enter:

username [NAME] privilege [0-15] algorithm-type [TYPE] secret [PASSWORD]

I get:

"ERROR: Can not have both a user password and a user secret.
Please choose one or the other."

I ran:

"username [NAME] privilege 15 password [PASSWORD]"

Before I knew about this going away and got:

"%AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration but Type 4 passwords have been deprecated. Migrate to a supported password type"

I am guessing that I need to modify the command to leave out the username and/or the password portion. Can someone help me determine what I need to enter? Maybe just:

"algorithm-type scrypt"?

Richard Burts · ‎09-01-2020

This question came up in the original discussion but was not answered. I believe that the solution is to go into config mode, delete the existing user name line (that was created as type 4) and then to configure the user name over again specifying the more secure type of encryption.

HTH

Rick