Use toughest available password protection for Cisco devices, NSA tells admins

Share post:

Cisco Systems gives network administrators the choice of seven password protection types,  ranging from no hashing or encryption to complex scrambling, to safeguard its devices.

But only one — known as Type 8 — offers the best protection from hackers, says the U.S. National Security Agency (NSA), the country’s electronic spy agency and cryptography expert, said in an information sheet issued this week.

Type 8 passwords are hashed with the PasswordBased Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt, and 20,000 iterations. That makes them more secure in comparison to the other password types allowed by Cisco, the NSA said.

“Type 8 should be enabled and used for all Cisco devices running software developed after 2013,” says the NSA. “Devices running software from before 2013 should be upgraded immediately.

“Types 0, 4, 5, and 7 should not be used on Cisco devices due to weak hashing algorithms that can result in exposing user credentials. Type 6 passwords should only be used if specific keys need to be encrypted and not hashed, or when Type 8 is not available (which typically implies that Type 9 is also unavailable).” Although Cisco and industry recommend the Type 9 hashes, its algorithm has not been evaluated against NISTapproved standards, so Type 9 is not recommended by the NSA.

Type 0 passwords are not encrypted or hashed. They are stored in plaintext within the device configuration file.

The NSA says Type 6 passwords, which use a reversible 128-bit Advanced Encryption Standard (AES) encryption algorithm so a device can decrypt the protected password into the plaintext password, can be used for VPN devices. However, they shouldn’t be used for other devices unless Type 8-style passwords can’t be used.

The extra step of multifactor authentication (MFA) is the best way to protect logins for Cisco devices, says the NSA. But, it adds, in some circumstances, admins can’t implement it and users have to rely on passwords alone. In those cases the hashing and encryption protection are crucial.

“When configuration files are not properly protected, Cisco devices that are configured to use a weak password protection algorithm do not adequately secure the credentials,” the NSA says. “This can lead to compromised devices, and potentially to compromised entire networks.”

Cisco devices contain a plaintext configuration file that is loaded after the Cisco operating system boots. If that file is compromised, hackers can take over the device. Cisco devices can use hashing or encryption algorithms to secure this information, the NSA paper says, but only if they are properly configured to do so.

Hashing is a one-way algorithm that produces output that is difficult to reverse back to the original string. A random salt is often added to a password prior to hashing, making it difficult to use precomputed hashes to reverse the password. Encryption is an algorithm that uses a key to produce output; it is difficult to reverse back to the original plaintext string without a key.

For enterprises utilizing Cisco devices, NSA highly recommends using strong, approved cryptographic algorithms that will protect the password within the configuration file. Password exposure due to a weak algorithm may allow for elevated privileges, which in turn, can lead to a compromised network, it says.

The post Use toughest available password protection for Cisco devices, NSA tells admins first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Canada, U.S. sign international guidelines for safe AI development

Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended guidelines to developers in their nations for the secure design, development, deployment, and operation of artificial intelligent systems. It’s the latest in a series of voluntary guardrails that nations are urging their public and private sectors to follow for overseeing AI in

Cyber Security Today, Nov. 27, 2023 – Ransomware gang posts data stolen from a Canadian POS provider, and more

This episode reports on the latest ransomware attacks, and details of how a gang that scams people selling used products on

Cyber Security Today, Week in Review for the week ending November 24, 2023

This episode features discussion on Australia's decision to not make ransowmare payments illegal, huge hacks of third-party service suppliers in Canada and the U.S. and whether email and smartphone service providers are doing enough to protect

Cyber Security Today, Nov. 24, 2023 – A warning to tighten security on Kubernetes containers, and more

This episode reports on the increasing number of vulnerable Kubernetes containers online, the latest acknowledged data breaches, a browser scam aimed at Macs

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways