Cisco error weakens IOS password

A password encryption meant to increase the resistance of Cisco System’s  IOS operating system to brute force attacks actually left devices vulnerable due to a to an implementation error by the company.

The problem concerning the new algorithm called Type 4 which is used on Cisco IOS and IOS XE devices was first discovered March 12 by researchers Philipp Schmidt and Jens Steube of Hashcat Project , developers of hash cracker and password recovery tools.

In a post on its Web site yesterday, Cisco thanks Schmidt and Steube for sharing their research with the company and “working towards a coordinated disclosure of the issue.”

Type 4 was designed to be a stronger alternative to existing Type 5 and Type 7 algorithms to increase the resiliency of passwords against brute force attacks.


Is there a fix for the password problem
Password breach lawsuit vs. LinkedIn dismissed

“Due to an implementation issue, the Type 4 password algorithm does not use PEKDF 2 and does not use a salt, but instead performs as single iteration of SHA-256 over the user provided plaintext password,” Cisco said. “This approach caused a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”

The implementation of Type 4 passwords caused the following:

– A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password

– Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or Cisco XE release with Type 4 passwords
– Depending on the specific device configuration, the administrator may not be able to log on into the device or change over to privileged EXEC mode. This would then require a password recovery process to be performed

Cisco said also provided instructions for administrators to help them determine whether a Cisco IOS or Cisco XE release supports Type 4 password and whether a device has any Type 4 passwords. The advisory also has detailed instructions on how to replace Type 4 passwords with a Type 5 password.

Because of the flaw, Cisco said, future IOS and IOS XE releases will no longer generate Type 4 passwords and the company will introduced a new password type.

However, to maintain backward compatibility, Type 4 passwords will be parsed and accepted customers will need to manually remove the existing Type 4 password from their configuration.

For detailed instructions on how to deal with the problem, click here



Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now