Saturday, May 21, 2022

Use toughest available password protection for Cisco devices, NSA tells admins

Cisco Systems gives network administrators the choice of seven password protection types,  ranging from no hashing or encryption to complex scrambling, to safeguard its devices.

But only one — known as Type 8 — offers the best protection from hackers, says the U.S. National Security Agency (NSA), the country’s electronic spy agency and cryptography expert, said in an information sheet issued this week.

Type 8 passwords are hashed with the PasswordBased Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt, and 20,000 iterations. That makes them more secure in comparison to the other password types allowed by Cisco, the NSA said.

“Type 8 should be enabled and used for all Cisco devices running software developed after 2013,” says the NSA. “Devices running software from before 2013 should be upgraded immediately.

“Types 0, 4, 5, and 7 should not be used on Cisco devices due to weak hashing algorithms that can result in exposing user credentials. Type 6 passwords should only be used if specific keys need to be encrypted and not hashed, or when Type 8 is not available (which typically implies that Type 9 is also unavailable).” Although Cisco and industry recommend the Type 9 hashes, its algorithm has not been evaluated against NISTapproved standards, so Type 9 is not recommended by the NSA.

Type 0 passwords are not encrypted or hashed. They are stored in plaintext within the device configuration file.

The NSA says Type 6 passwords, which use a reversible 128-bit Advanced Encryption Standard (AES) encryption algorithm so a device can decrypt the protected password into the plaintext password, can be used for VPN devices. However, they shouldn’t be used for other devices unless Type 8-style passwords can’t be used.

The extra step of multifactor authentication (MFA) is the best way to protect logins for Cisco devices, says the NSA. But, it adds, in some circumstances, admins can’t implement it and users have to rely on passwords alone. In those cases the hashing and encryption protection are crucial.

“When configuration files are not properly protected, Cisco devices that are configured to use a weak password protection algorithm do not adequately secure the credentials,” the NSA says. “This can lead to compromised devices, and potentially to compromised entire networks.”

Cisco devices contain a plaintext configuration file that is loaded after the Cisco operating system boots. If that file is compromised, hackers can take over the device. Cisco devices can use hashing or encryption algorithms to secure this information, the NSA paper says, but only if they are properly configured to do so.

Hashing is a one-way algorithm that produces output that is difficult to reverse back to the original string. A random salt is often added to a password prior to hashing, making it difficult to use precomputed hashes to reverse the password. Encryption is an algorithm that uses a key to produce output; it is difficult to reverse back to the original plaintext string without a key.

For enterprises utilizing Cisco devices, NSA highly recommends using strong, approved cryptographic algorithms that will protect the password within the configuration file. Password exposure due to a weak algorithm may allow for elevated privileges, which in turn, can lead to a compromised network, it says.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.