Strong Passwords and Password Encryption to protect Management Plane
If you can recollect the lessons we learned from CCNA Routing and Switching, we can configure passwords for privileged EXEC mode, line console, line vty etc., to protect network infrastructure devices. Previous lessons contain more explanations about Cisco IOS Shell privilege levels and how to configure passwords for different privilege levels.
Two different flavours of passwords are available in Cisco Routers and Switches which are running on IOS. One is called as "secret" and the other one is called as "password".
Main difference between "secret" and "password" is that when you use "secret", the password text is converted to a hash (MD5 ) and stored as hash format in configuration file. MD5 is considered as an irreversible hash encryption and it is considered impossible to find the original password from its MD5 hash.
When you use "password", the password text is stored as clear text in configuration file and anyone who has access to configuration files can read the passwords.
For example, refer the following configuration where we are using a "secret" type of password for privilege level 15 by running the Cisco IOS command "enable secret OmniSecuSecret".
How to configure password text using "enable secret" IOS Command
The command syntax for "enable secret" is as below.
OmniSecuR1(config)#enable secret <0|5> level <1-15> <user_defined_password_text>
Note: In above command syntax,
1) "secret <0|5>" "0" indicates that an unencrypted password string follows and "5" indicates that an encrypted password string follows.
2) "level <1-15>" : Privilege Levels. Default is Privilege Level 15.
OmniSecuR1#configure terminal OmniSecuR1(config)#enable secret level 15 0 OmniSecuSecret OmniSecuR1(config)#exit OmniSecuR1#
After running the above command, view the running configuration file, using "show running-conf" IOS command to see how the password text is stored in running configuration file.
OmniSecuR1#show running-config | include enable enable secret 5 $1$txNr$vgPYgK1eJQy.lVP1sbMbD0
We can see that the "secret" type of password text "OmniSecuSecret" is converted in to its hash format. The number "5" which you can see before the secret hash indicates that the secret password is in its MD5 form. The text after the number "5" in above output is the password hash. Cisco's MD5 is a "SALT HASH", where the hash text consists of three parts which are separated by dollar character ($).
From the above output, we can see that the hash text part consists of three parts.
1) "1" - Shows this is a SALTED hash
2) "txNr" - Random value
3) "vgPYgK1eJQy.lVP1sbMbD0" - MD5 Hash text
The main advantages of SALTED hashes are that 1) they provide better resistance against dictionary password attacks and rainbow tables 2) Two same passwords configured for different users are stored as entirely different hashes. Visit the below Wikipedia Page for more information about SALTED HASHES.
How to configure password text using "enable password" IOS Command
The command syntax for "enable password" is as below.
OmniSecuR1(config)#enable password <0|7> level <0-15><user_defined_password_text>
Note: In above command syntax,
1) "password <0|7>": "0" indicates that an unencrypted password string follows and "7" indicates that an encrypted password string follows.
2) "level <1-15>" : Privilege Levels. Default is Privilege Level 15.
Refer the following configuration where we are using a "password" type of password for privilege level 15 by running the Cisco IOS command "enable password OmniSecuPassword".
OmniSecuR1#configure terminal OmniSecuR1(config)#enable password 0 level 15 OmniSecuPassword OmniSecuR1(config)#exit OmniSecuR1#
Again view the running configuration file, using "show running-conf" IOS command to see how the password text is stored in running configuration file.
OmniSecuR1#show running-config | include enable enable password OmniSecuPassword
You can see that the "password" type of password text "OmniSecuPassword" is stored as plain text in running configuration file.
Storing the passwords in clear text is a security threat, because packet sniffers allow an attacker to read the passwords when you copy the startup configuration file from a TFTP server. Anyone who has access to the configuration files can read the passwords. Encrypting the passwords provide a level of security to the passwords.
To encrypt the passwords which are kept in clear text, run "service password-encryption" command from Global Configuration mode.
OmniSecuR1#configure terminal OmniSecuR1(config)#service password-encryption OmniSecuR1(config)#exit OmniSecuR1#
Again view the running configuration file to see that the password is encrypted and not readable.
OmniSecuR1#show running-config | include enable enable password 7 132A1A1C023F01293E14292026351C1512
Out of the two Cisco IOS password flavours, "enable secret" provides better security. So never use "enable password". Use "enable secret" to ensure better security for your password texts.
Tips for implementing better Cisco IOS Password Security
• Use Complex passwords: When you configure a password, use characters from atleast three different combination shown below. Complex Passwords provide better protection against brute-force password attacks.
1) Small Case
2) Capital Case
3) Numebrs
4) Special Characters
• Use Different Password for Privilege Level 15: Never use same password for Privilege Level 15 (privilege EXE mode). If somehow an attacker came to hack any other password, they may try the hacked password to hack privilege EXE mode.
• Use only "enable secret: If you are planning to implement passwords in your Cisco Network Infrastructure devices, use only "enable secret" for better password security.