Detections
Analytics

1.4.3 Set 'username secret' for all local users

Information

Username secret password type 5 and enable secret password type 5 must be migrated to the stronger password type 8 or 9. IF a device is upgraded from IOS XE 16.9 or later the type 5 is auto converted to type 9.

The username secret command provides an additional layer of security over the username password.

Default device configuration does not require strong user authentication potentially enabling unfettered access to an attacker that is able to reach the device. Creating a local account with an encrypted password enforces login authentication and provides a fallback authentication mechanism for configuration in a named method list in a situation where centralized authentication, authorization, and accounting services are unavailable.The following is the type of encryption the device will allow as of 15.3:Type 0this mean the password will not be encrypted when router store it in Run/Start Filescommand:enable password cisco123

Type 4this mean the password will be encrypted when router store it in Run/Start Files using SHA-256which apps like Cain can crack but will take long timecommand :enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts(notice above is not the password string it self but the hash of the password)

this type is deprecated starting from IOS 15.3(3)

Type 5this mean the password will be encrypted when router store it in Run/Start Files using MD5which apps like Cain can crack but will take long timecommand:enable secret 5 00271A5307542A02D22842(notice above is not the password string it self but the hash of the password)orenable secret cisco123(notice above is the password string it self)

Type 7this mean the password will be encrypted when router store it in Run/Start Files using Vigenere cipherwhich any website with type7 reverser can crack it in less than one secondcommand :ena password cisco123service password-encryption

Type 8

this mean the password will be encrypted when router store it in Run/Start Files using PBKDF2-SHA-256

starting from IOS 15.3(3).

Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-256) as the hashing algorithm

Example :

R1(config)#enable algorithm-type sha256 secret cisco

R1(config)#do sh run | i enable

enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.

Example :

R1(config)# username yasser algorithm-type sha256 secret cisco

R1# show running-config | inc username

username yasser secret 8 $8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs

Type 9

this mean the password will be encrypted when router store it in Run/Start Files using scrypt as the hashing algorithm.

starting from IOS 15.3(3)

Example :

R1(config)#ena algorithm-type scrypt secret cisco

R1(config)#do sh run | i enable

enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE

Example :

R1(config)# username demo9 algorithm-type scrypt secret cisco

R1# show running-config | inc username

username demo9 secret 9 $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM

Important Notes:

1-If you configure type 8 or type 9 passwords and then downgrade to a release that does not support type 8 and type 9 passwords, you must configure the type 5 passwords before downgrading. If not, you are locked out of the device and a password recovery is required.

2-Starting from IOS 15.3(3)The 4 keyword was deprecated and support for type 8 and type 9 algorithms were added and The warning message for removal of support for the type 4 algorithm was added

Solution

Create a local user with an encrypted, complex (not easily guessed) password.

hostname(config)#username {{em}LOCAL_USERNAME{/em}} secret {{em}LOCAL_PASSWORD{/em}}

Impact:

Organizations implementing 'username secret' across their enterprise reduce the risk of unauthorized users gaining access to Cisco IOS devices by applying a MD5 hash and encrypting user passwords.

See Also

https://workbench.cisecurity.org/benchmarks/12917

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Cisco

Control ID: 7963a08562440cb210c5bdca74b757920b69eff3379a3dd6a47a892abf2d06aa