6

I'm university student studying for my certification exam, and I was doing some reviewing today when I found a question that I can't find an answer to. Basically, in the CCNA3 2.4.1 Cisco Netacademy online materials, it talks about encrypting passwords in the config. To quote the materials:

The encryption standard used by the service password-encryption command is referred to as type 7. This encryption standard is very weak and there are easily accessible tools on the Internet for decrypting passwords encrypted with this standard. Type 5 is more secure but must be invoked manually for each password configured.

This is what confuses me. It says that you can manually invoke Type 5 security (which is MD5 hashing, also used with enable secret) for each password configured. But by default, it uses Type 7 encryption which is a basic and weak encryption method usually used to guard against over the shoulder snooping at running-configs etc.

I've done some looking around and I can't find any commands that would allow a user to use the enable password command yet encrypt it using Type 5 instead of Type 7. Furthermore, when I looked at Cisco reference pages on the Internet seen here it says the following:

enable password [level level] {password | [encryption-type] encrypted-password} Encryption-Type: (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently, the only encryption type available is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).

This is for the enable password command and it says default encryption type is 5 using IOS version 12.2. But when I use service password-encryption on a switch that has 12.2 IOS the running-config shows: enable password 7 121AOC041104 the 7 meaning Type 7.

So, as you can see. I'm confused. There are contradictions concerning the default Type of encryption used with enable password. Although the netacademy resources are a few years old, actual testing with switches and using the service password-encryption command support the netacademy materials. Whereas the Cisco site quotes type 5 being the default using one of the latest IOS versions.

Basically, my question is, despite all of these confusions, is it possible to use enable password to get a Type 5 encryption (and this would be evident in the running-config) or do I have to stick with enable secret to get my Type 5 encryption?

mitch
  • 61
  • 1
  • 3
  • Oh and please tell me if I have posted this in the wrong QA site. I wasn't sure if it should go here or in the Server Fault QA. – mitch Apr 28 '11 at 14:41
  • I believe that it is on topic in both and you might be interested in cross posting it. BTW md5 are not very secure any way. – KilledKenny Apr 28 '11 at 15:11
  • 2
    @WZeberaFFS: [Note that cross-posting is strongly discouraged.](http://meta.stackoverflow.com/questions/64068/is-it-possible-to-post-questions-across-a-couple-of-the-sites-because-its-debata/64073#64073) @mitch: The question looks on-topic on both sites. Let it stand here since that's where you asked it. (A moderator can migrate it if you change your mind, but migrated questions typically get less attention.) – Gilles 'SO- stop being evil' Apr 28 '11 at 15:46
  • FTFY: Cisco's operating system is IOS, not iOS. – Iszi Apr 28 '11 at 16:09
  • @Gilles Thanks for informing me about that i was completely unaware of that the last corss post i saw was made by a mod... – KilledKenny Apr 28 '11 at 16:12

3 Answers3

1

I've done some looking around and I can't find any commands that would allow a user to use the enable password command yet encrypt it using Type 5 instead of Type 7.

That is because enable password is only maintained for legacy support. All Cisco platforms for about 20 years have enable secret as the best practice way of including a enable password in the configuration.

This is for the enable password command and it says default encryption type is 5 using IOS version 12.2. But when I use service password-encryption on a switch that has 12.2 IOS the running-config shows: enable password 7 121AOC041104 the 7 meaning Type 7.

Cisco documentation (and other vendors') has increasingly been affected by copy/paste mistakes over the years. Keep your eyes open and brain engaged when reading documentation to find that this is not a rare occurrence (for fun, see if you spot the one in this Cisco document that has carried over to successive versions of code to the present day - hint: skip to the Configuring Password Policies (CLI) section).

In the case you highlight, they use the same exact wording for enable secret as they do for enable password. At some point someone just copied the wording from the former to the latter, but forgot (or didn't realize) they needed to change the 5 to a 7.

Basically, my question is, despite all of these confusions, is it possible to use enable password to get a Type 5 encryption (and this would be evident in the running-config) or do I have to stick with enable secret to get my Type 5 encryption?

No, it isn't possible to use enable password to get a type 5 encryption. You can only do this with enable secret which only uses type 5 encryption (at least on most platforms, can't say for certain all). The enable password command doesn't have this feature because enable secret was already present and the best practice way to include a enable password, so Cisco simply never modified the enable password command to include it.

Let me stress that there is no reason outside of the classroom that you should be using enable password in your Cisco configurations unless you are dealing with 20+ year old platforms (network or management) that require you to do so.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • Enable secret uses type 5 you're correct. To add to this here is a post on password types on Cisco devices - https://security.stackexchange.com/questions/150733/cisco-ios-service-password-encryption/186082#186082 –  Jun 19 '18 at 19:36
1

I can't help with your basic problem, but this should help motivate folks to get it right, as your question asks. It is depressing hearing over and over how badly broken password storage is on important platforms.

A bit of googling yields this information on how bad "type 7" password storage is. Note that tt uses "Vigenère obfuscation" (not really encryption): Deobfuscating Cisco IOS Passwords - CT3

I'm still puzzled as to why Cisco wanted the server to have access to cleartext passwords, as noted in that link.

Update: As described at Cisco IOS Password Encryption Facts - Cisco Systems:

In order to support certain authentication protocols (notably CHAP), the system needs access to the clear text of user passwords, and therefore must store them using a reversible algorithm.

The requirement for plain-text password storage on the server side is a good reason that CHAP (Challenge-handshake authentication protocol - Wikipedia) is a bad idea.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
1

Use enable secret -- if nothing else, it's the solution that works on "legacy" versions, even if it has been changed in newest releases.

(Apart from that, avoid local accounts. The only time a local account should be used is when there is a major problem in progress that prevents the router from communicating with an AAA server. Use TACACS+ when possible, or DIAMETER for those that support it.)

Jakob Borg
  • 1,326
  • 8
  • 9
  • 1
    Good answer here, for *any* system that has access to a centralized authentication service. Don't use local accounts unless *absolutely* necessary, and use the strongest method of protection available for those that must exist. – Iszi Apr 28 '11 at 20:39
  • @Iszi, I could agree to good advice, recommendation, or best practice but as it does not actually answer the OP's question, I have to disagree on "good answer" in this case. – YLearn Jun 19 '18 at 19:35