Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
240
Views
2
Helpful
2
Replies

Did you choose password type 8 or 9?

waddealister
Level 1
Level 1

‎03-07-2024 03:02 AM

We aren't required to follow a certain direction, but I know 2 years ago NSA & NIST essentially said use 8 because 9 wasn't yet vetted. Cisco had or does recommend type 9. What did you go with?

Finally upgrading from the ones you can just paste and see online. From quick testing, it looks like just using command, "username <user> algorithm-type sha256 secret <pass>" would be the safest way to overwrite the old user of the same name but with the better protection with no downside of it accidentally being cleared first but then not supporting the command such as in the case of old switches

omegle xender
Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎03-07-2024 03:07 AM

@waddealister the link below is a Cisco guide comparing the different types

https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

Q: Which is most secure, Type 6, 8 or 9?

A: This is debatable. Since Type 8 & 9 are one-way hashes they could be considered the most secure. However, I believe popular tools are able to brute force Type 8 & 9 and I’m not sure if Type 6 can be brute forced… yet.  

Tim Glen
Cisco Employee
Cisco Employee
In response to Rob Ingram

‎03-07-2024 06:12 AM

Hey @Rob Ingram & @waddealister 

Rob, thanks for pointing to my doc! Cool seeing you in Amsterdam and I wish we had more time to talk. 

Both Type 8 SHA256 and Type 9 SCRYPT are secure and, to date in 2024, I haven't heard about any successful attacks on Type 8 (SHA256) or Type 9 (SCRYPT), even though some popular tools posit attacks. 

In IOS XE the default is Type 9 but personally, I prefer to use Type 8.

A good auditor may ding you for using Type 9 because its not NIST approved especially in the US Defense \ Public Sector. 

From quick testing, it looks like just using command, "username <user> algorithm-type sha256 secret <pass>"

Yes, that sounds like an excellent method of replacing either Type 7 (obfuscation) or Type 9 (SCRYPT hash).

Pro Tip: when reconfiguring these, think about adding a Common Criterial Policy as well!  This allows you to set password strength requirements (upper, lower, special chars & more)  and ensures that your passwords follow those req's. 

You can automate this with Ansible as well!  I presented this at Cisco Live recently and here is the Guide \ Playbooks. 
https://github.com/timmayg/clemea2024-devwks-2008/blob/main/02-Local_Auth.md

Hope this helps and if you have questions let me know. 

Tim

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card