Security Password Encryption on Cisco Routers.
Password Encryption
Setting a security password on the network router should be a fundamental aim when warding off network threats or intruders. Not just a password, but a strong password. This will enable an administrator to have absolute control and secure access to a router.
Good password guidelines:
i. Do not write passwords down and leave them in obvious places such as your desk or on your monitor.
ii. Combine the use of letters, numbers, and symbols. To make it stronger, use the combination of at least one lowercase letter, uppercase letter, digit, and special character
iii. It’s advisable to avoid dictionary words, names, phone numbers, and dates. Using dictionary words makes the passwords vulnerable to dictionary attacks.
iv. Deliberately misspell a password. For example, Simon can be spelled as Symon or can also include numbers such as 5ymOn.
v. Use lengthy passwords. The best practice is to have a minimum of eight to ten characters (Cisco IOS routers are equipped with a feature to enable lengths of passwords).
vi. Change your passwords as often as possible. This limits the opportunity for an intruder to try and crack a password and limits the window of exposure after a password has been compromised.
Passphrases
The use of passphrases is a very good recommendation for creating strong and more complex passwords.
A passphrase is simply a sentence or phrase that serves as a more secure password. Using a long phrase will make it difficult and hard to guess by an attacker, but easy to remember.
Phrases abound, use phrases from books, songs, poems, famous sayings, etc. you can select a variety of passwords from your favorite songs or poems.
Passphrase Examples:
“Build it and they will come” – translates to Biatwc
“My Favourite rapper and songwriter is 2pac Shakur” – translates to Mfraswi2S
Blessed are the peacemakers, for they shall obtain mercy – translates to Batpmftsom
Password Encryption on Cisco Routers
By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone using the enable password command or the username
{username} password { password }command would be able to view these passwords when looking at the running configuration.
For example:
Router1(config)# username lab password cisco1234
Router1(config)# do show run | include username
username lab password 0 cisco1234
Router1(config)#
The 0 displayed in the running configuration, indicates that the password is not hidden.
Cisco Password Encryption Schemes
Cisco IOS provides two password protection schemes:
Type 7 encryption and type 5 encryption.
Type7 encryption
This is a Cisco-defined encryption algorithm, which hides the password using a simple encryption algorithm. The type 7 encryption can be used by the enable password, username, and line password commands, this includes, line console, vty, and aux port. It offers very limited protection as it only hides the password using a simple encryption algorithm.
For example, use the following command in a global mode:
Router1(config)# service password-encryption
Router1(config)# do show run | include username
username Student password 7 03075218050061
Router1(config)#
The 7 displayed in the running configuration indicates that the password is hidden. You can also see that the line console password is now hidden.
Type 5 Encryption
This is uses a complex encryption algorithm. It uses a more secure MD5 hash. Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. It offers a much stronger encryption method (MD5). It is configured by replacing the keyword password with a secret. Using the enable secret command will help protect the privilege EXEC level.
e.g
Router>enable
Router#config t
Router(config)#enable secret cisco
Router(config)#line con 0
Router(config-line)#password cisco
Router(config-line)#login
Router(config-line)#line vty 0 4
Router(config-line)#password cisco
Router(config-line)#login
Router(config-line)#exit
Router(config)#hostname HQ
Using show run will display your password encryption:
HQ#sho run
Building configuration…
Current configuration: 456 bytes
!
version 12.4
service password-encryption
!
hostname HQ
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
ip ssh version 1
!
Summary:
To encrypt all passwords in the configuration file, use the following command:
Router1(config)# service password-encryption
To configure a type 5 (MD5 hash) password and disable the type 7 password, use the following command:
Router1(config)#enable secret {password here}
Router1(config)#no enable password
Router1(config)#end
To enable the router configuration file to require 10 characters length in all passwords, use the following command:
Router1(config)#security password min-length 10
Router1(config)#end
Related Topics
Enhanced Password Security
