NSA provides guidance on Cisco device passwords


The National Security Agency (NSA) released recommendations this week regarding the use of specific passwords to secure Cisco devices.

Cisco devices are used on Department of Defense, Defense Industrial Base, and National Security Systems networks, and any insecure credentials on these devices could compromise entire networks.

“Each device has clear-text configuration files that contain settings that control device behavior, determine how to direct network traffic, and store pre-shared keys and user authentication information. All credentials contained in Cisco configuration files could be compromised if strong password types are not used,” the NSA states.

To help administrators better secure their environments, the agency released the Cisco Password Types: Best Practices guide, which breaks down the difficulty of cracking different types of password protection on Cisco devices and how easy it is. recover the plaintext password in some cases.

Using a secure password protection algorithm, the NSA explains, ensures that hackers are unable to crack passwords even if they manage to obtain the password hashes stored in the configuration files for authentication purposes.

Based on analysis of the different types of Cisco password protection – which are tracked as 0, 4, 5, 6, 7, 8, and 9 – the agency recommends the use of type passwords 8 only and strongly discourages the use of type 0 , type 4 and type 7 passwords.

[READ: The Human Element and Beyond: Why Static Passwords Aren’t Enough]

In the case of type 0 passwords, no encryption or hashing is used, which means the credentials are stored in the clear. Type 4 (deprecated since 2013) contains an implementation error that makes it weak against brute force attempts. According to the NSA, Type 7 passwords are stored as encoded strings and should be considered masked rather than encrypted.

Type 5 and Type 9 passwords, the agency explains, are not approved by NIST. Introduced about 30 years ago, type 5 is relatively easy to crack and should only be used when type 6, 8 and 9 passwords are not available. Intended to make cracking passwords very expensive, Type 9 has yet to be “evaluated against NIST-approved standards.”

Type 6 passwords, which use a reversible 128-bit AES encryption algorithm, are difficult to crack and are more secure than Type 7 passwords when the plaintext password is needed on the device. The NSA says Type 6 should always be used for VPN keys, but recommends its use in other cases only if Type 8 (and Type 9) is not available.

Introduced with Cisco’s operating systems from 2013, Type 8 passwords provide stronger protection, with no issues detected, according to the NSA. Passwords are hashed using PBKDF2, SHA-256, an 80-bit salt, and 20,000 iterations, and are stored as hashes in configuration files.

“NSA recommends that Type 8 passwords be enabled and used for all Cisco devices running software developed after 2013. Devices running software prior to 2013 should be updated immediately. Type 6 passwords should be used when reversible encryption must be used,” the NSA states.

In addition, administrators are advised to use strong (long and complex) passwords to access privileged EXEC mode and to apply the principle of least privilege for different user accounts.

Related: Dark Hash Collisions: New Service Privately Detects Leaked Passwords

Related: Cisco Webex Vulnerability Exploited to Join Meetings Without Password

Related: NIST, DHS Release Guidance on Securing Virtual Meetings, VPNs

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:


About Author

Comments are closed.