Monitoring, Management & Location Tracking

Cisco IOS passwords cause mismatch (type 7 hash)

Aruba Employee

Cisco type 7 encryption uses a weak non-consistent hash method that will result in mismatches among devices using the same base "password" but with different resulting hashes in their configurations.

This can be verified by the existence of password hashes preceded by the number "7". 

Example:

username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D

Cisco documentation recommends that all customers switch to the password "secret" method will utilizes md5 hash method and can be verified by configuration lines with a hash preceded by the number "5".

Example:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

The md5 hash creates a consistent hash for the same password across systems.

NOTE: A consistent hash means the customer must manually push the same md5 hash to all devices (which forces them to all use the same salt in verifying the password hash)

The other recommended reason for switching from type 7 to type 5 (md5) is that type 7 can be easily reversed and several websites have type 7 password cracking web applications available. Just google for 'cisco password 7' and many of the top search results will document the weakness of the type 7 hash.

Useful Documentation can be found here:

http://wiki.nil.com/MD5_Password_Hashing_in_IOS

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml

Version history
Revision #:
1 of 1
Last update:
‎06-25-2014 01:58 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: