Cisco Systems gives network administrators the choice of seven password protection types, ranging from no hashing or encryption to complex scrambling, to safeguard its devices.
But only one — known as Type 8 — offers the best protection from hackers, says the U.S. National Security Agency (NSA), the country’s electronic spy agency and cryptography expert, said in an information sheet issued this week.
Type 8 passwords are hashed with the PasswordBased Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt, and 20,000 iterations. That makes them more secure in comparison to the other password types allowed by Cisco, the NSA said.
“Type 8 should be enabled and used for all Cisco devices running software developed after 2013,” says the NSA. “Devices running software from before 2013 should be upgraded immediately.
“Types 0, 4, 5, and 7 should not be used on Cisco devices due to weak hashing algorithms that can result in exposing user credentials. Type 6 passwords should only be used if specific keys need to be encrypted and not hashed, or when Type 8 is not available (which typically implies that Type 9 is also unavailable).” Although Cisco and industry recommend the Type 9 hashes, its algorithm has not been evaluated against NIST–approved standards, so Type 9 is not recommended by the NSA.
Type 0 passwords are not encrypted or hashed. They are stored in plaintext within the device configuration file.
The NSA says Type 6 passwords, which use a reversible 128-bit Advanced Encryption Standard (AES) encryption algorithm so a device can decrypt the protected password into the plaintext password, can be used for VPN devices. However, they shouldn’t be used for other devices unless Type 8-style passwords can’t be used.
The extra step of multifactor authentication (MFA) is the best way to protect logins for Cisco devices, says the NSA. But, it adds, in some circumstances, admins can’t implement it and users have to rely on passwords alone. In those cases the hashing and encryption protection are crucial.
“When configuration files are not properly protected, Cisco devices that are configured to use a weak password protection algorithm do not adequately secure the credentials,” the NSA says. “This can lead to compromised devices, and potentially to compromised entire networks.”
Cisco devices contain a plaintext configuration file that is loaded after the Cisco operating system boots. If that file is compromised, hackers can take over the device. Cisco devices can use hashing or encryption algorithms to secure this information, the NSA paper says, but only if they are properly configured to do so.
Hashing is a one-way algorithm that produces output that is difficult to reverse back to the original string. A random salt is often added to a password prior to hashing, making it difficult to use precomputed hashes to reverse the password. Encryption is an algorithm that uses a key to produce output; it is difficult to reverse back to the original plaintext string without a key.
For enterprises utilizing Cisco devices, NSA highly recommends using strong, approved cryptographic algorithms that will protect the password within the configuration file. Password exposure due to a weak algorithm may allow for elevated privileges, which in turn, can lead to a compromised network, it says.