Type 4 and Type 5 passwords

Fred Rawlings · ‎10-30-2013

I was changing the username and password on our routers, currently it is as follows

userrname xxxx privilege 15 secret 5 xxxxxxxxxxx

When I enter the new username and secret 5 password, I'm getting this

username xxxx privilege 15 secret 4 xxxxxxxx

Can someone tell me why I'm getting the type 4 password as opposed to typ 5? The command I'm entering is

conf t

username xxxx privilege 15 secret xxxxxx

Even when I removed the previous usename and password and entered the new username and password, it still set it to type 4. The strange thing is that it didn't do this with all of our routers, some routers are displaying the new username and type 5 password correctly, about 23 out 150 routers are showing the password as type 4. Two things.

1. How can I fix this?

2. What's the difference between type 4 and type 5? Would it be ok to simply leave teh 23 routers with a tye 4 password or should I make them type 5?

I've also included a screenshot

Any help would be great

Thanks

~chris · ‎10-30-2013

Are all routers running with the same IOS?

The differnence between type 4 and type 5 password is the encryption where type 4 is sha256 and type is md5.

In the past i got a message during booting the switch/router after upgrading from IOS 12.x to 15.x like: change to new encryption, md5 can be deprecated soon.

HTH,

./chris

Fred Rawlings · ‎10-30-2013

Hi c.edel

No they're are not running the same IOS, but the type 5 password was on ALL the routers, but when I changed the username and password on them, majority of the routers continue to show type 5 whereas about 23 of them displayed type 4. There's been no change on the routers as far as IOS updates or anything like that, that's why I don't understand how just changing the username and password would change the password type to 4.

Richard Burts · ‎10-30-2013

There are a couple of points to make about type 4 and type 5 passwords.

- As they went into release 15 Cisco decided to introduce a new type of password which was intended to be more secure, which was the type 4 password. And as designed it would have been much more secure.

- The implementation of the new password was flawed and it is fact not better than the type 5 password. Cisco has announced plans for another new type of password which should achieve the original design criteria for type 4.

- if you input into config mode something that is like secret 5 xxxxxx( which contains the already encrypted type 5 password) then the config will maintain and use the type 5 password.

- but if you input into config mode something that is like secret xxxxxx then the new IOS will use the type 4 password.

I am guessing that you upgraded routers to new code with existing config with type 5 secret passwords. Or you did copy and paste into routers of configs that already contained the secret 5 passwords. Now you are doing maintenance to change user names and/or passwords and are getting type 4 on routers running the newer code.

As far as I know you can fix this by configuring the user name and secret on a router that is still using the type 5 secret password, and then copy and paste from that router into the new router which will then result in a type 5 secret on the new router.

HTH

Rick

HTH

Rick

Jeff Van Houten · ‎10-30-2013

Also, to Richard's point, I believe the versions of IOS released in the last few months have already deprecated type 4 passwords. If you get a relatively recent version of iOS, you shouldn't see anything attempting to use type 4 anymore.

Sent from Cisco Technical Support iPad App

Fred Rawlings · ‎11-01-2013

Thanks Richard I'm going to give that a try. I'll update with the results