Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
5
Replies

Password Types

Go to solution
JohnRosso3555
Level 1
Level 1

‎07-29-2021 12:51 PM

Hi

 

I saw a good article about the different password types that Cisco offers. I am currently using Type 9. Would this be the most secure?

 

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎07-29-2021 01:05 PM

Hi,

8 or 9 (as long as your IOS supports them) seems to be the most secure.

https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

 

HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎07-29-2021 01:05 PM

Hi,

8 or 9 (as long as your IOS supports them) seems to be the most secure.

https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

 

HTH

0 Helpful

Go to solution
JohnRosso3555
Level 1
Level 1
In response to Reza Sharifi

‎07-29-2021 01:14 PM

Hi

 

Yes, I am using Gibraltar 16.12.x IOS-XE and type 9 is supported using a manual logon for both EXEC & PRIV.

 

Do you think using Microsoft NPS radius for AD logon would actually weaken the security posture of the switch?

Not sure if Microsoft supports type 9.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to JohnRosso3555

‎07-29-2021 01:40 PM - edited ‎07-29-2021 01:41 PM

Hi,

Not sure about NPS but if you are looking for an authentication server Aruba ClearPass is a great product, easy to set up, easy to use, and intuitive. It is a complete NAC solution without the complicity of ISE and ACS.

https://cdw-prod.adobecqms.net/content/dam/cdw/on-domain-cdw/brands/aruba/ds-clearpass-policymanager.pdf?cm_ven=acquirgy&cm_cat=google&cm_pla=S3+HPE+Aruba&cm_ite=ClearPass+B&ef_id=CjwKCAjwo4mIBhBsEiwAKgzXONWTOswGvJv4VPHLgXZCNp3d4bFEA80uTQ5ba1SyJrwdjE...

 

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.0/Content/WhatsNew/NewFeatures_PolicyMgr.htm

 

HTH

 

 

 

 

 

 

 

 

0 Helpful

Go to solution
inderdeeps
Level 4
Level 4

‎07-29-2021 01:31 PM

@JohnRosso3555 : Password Type 9: These use the SCRYPT hashing algorithm defined in the informational RFC 7914. SCRYPT uses 80-bit salt, 16384 iterations. It’s very memory expensive to run the algorithm and therefore difficult to crack. Running it once occasionally on a Cisco device is fine though, this is currently the Best Practice Type password to use. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.

Go ahead !

0 Helpful

Go to solution
paul driver
VIP
VIP

‎07-29-2021 01:56 PM

Hello

Yes algorithm-type scrypt (type 9) is the most secure

example:
username Fred privilege 15 algorithm-type scrypt secret xxxx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card