Best Practices
- The enable password command should no longer be used. Use enable secret instead.
- username joeblow password mypass command should no longer be used. Use username joeblow secret mypass instead.
- Type 4 Passwords should never be used!
- Use Type 6, Type 8 and Type 9 wherever possible.
- Type 0, Type 5 and Type 7 should be migrated to other stronger methods.
- Do NOT use dictionary words. Use random strings for passwords. Click HERE for a great tool I've been using for years.
Cisco Password Type’s
Type 0
This is cleartext and should never be used in a running or startup-config. Attempting to use Type 0 in modern IOS XE will throw an error as these will be depreciated soon.
Type 4
Cisco created Type 4 around 2013 in an attempt to upgrade Type 5. However, the attempt was severely flawed and resulted in a hash that was weaker than a Type 5 MD5. See thePSIRT below.
Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
Type 5
These use a salted MD5 hashing algorithm. These should only be used if Type 6, 8, or 9 is not available on the IOS version you are running.Attempting to use Type 5 in modern IOS XE will throw an error as these will be depreciated soon. In the running config these start with $5$.
Type 6
This is true encryption using 128 bit AES counter mode. The administrator defines a master key which is used by IOS XE to encrypt the password. The encrypted password that is visible in the running-config cannot be copied between devices UNLESS the original Master Key is configured on the new device!
See this document I authored on Configuring Type 6 Passwords
Type 7
These use the Vigenere cipher, a very simple algorithm that was cracked in 1995. These are easily reversible with tools on the internet. These should never be used and attempting to use Type 7 in modern IOS XE will throw an error as these will be depreciated soon.
Type 8
Type 8 passwords are what Type 4 was meant to be, an upgraded Type 5! Type 8 is hashed using PBKDF2, SHA-256, 80-bit salt, 20,000 iterations. While this is good, it is still vulnerable to brute-forcing since AES is easy to implement in (GPU) graphics cards. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these. In the running config standard Type 8 start with $8$.
Type 9
These use the SCRYPT hashing algorithm defined in the informational RFC 7914. SCRYPT uses 80-bit salt, 16384 iterations. It’s very memory expensive to run the algorithm and therefore difficult to crack. Running it once occasionally on a Cisco device is fine though, this is currently the Best Practice Type password to use. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.
In the running config standard Type 9 start with $9$.
In the running config convoluted Type 9 start with $14$.
Q: Some of these are crack-able, what do I do?
A: Easy answer! NEVER use dictionary words. Use a random password generator like the one found here. https://www.random.org/passwords/
Q: Which Password Types are portable between devices?
A: You can copy & paste Types 0,5,7,8,& 9 between devices.
Q: Can Type 6 also be portable between devices?
A: Type 6 can be portable between devices ONLY if you configure the Destination device with the same key config-key password-encryption KEY as was originally used on the Source device.
Q: What if my device with Type 6 experiences hardware failure?
A: Great question, when configuring Type 6 it’s very important to store the key config-key password-encryption KEY in a secure location as it is NOT recoverable from the devices running configuration, or anywhere else. Once you enter it at the CLI you will never see it again on the device.
Q: Is this applicable to IOS XR as well?
A: Sorry, I don’t know, maybe I’ll research this and update this post later on if folks ask.
Q: Hashed \ encrypted, what is the difference?
A: Encrypted typically means it is reversible using the key. Hashed is typically one-way.
Q: When should I use Type 6 encryption?
A: Use Type 6 when the device needs the actual password, eg. routing protocols. Type 6 can also be used when the device needs to recognize the correct password, username kashvi password cisco123, enable secret.
Q: When should I use Type 8 or Type 9 hashing?
A: Hashed passwords can be used when the device needs to recognize the correct password but does not need to transmit it to other devices (routers, FTP servers, etc)
Q: When configuring or restoring a Type 6 password, do I need to enter commands in a specific order?
A: Optimally you will enable password encryption aes, key config-key then the Type 6 password, however, if you enter the Type 6 password first, then enable password encryption aes and the key config-key second that will work as well. So no it really doesn’t matter as long as the Master Key is defined.
Q: Which is most secure, Type 6, 8 or 9?
A: This is debatable. Since Type 8 & 9 are one-way hashes they could be considered the most secure. However, I believe popular tools are able to brute force Type 8 & 9 and I’m not sure if Type 6 can be brute forced… yet.
Thanks for reading, please rate or comment to help make this document better!