In a production environment please refrain entirely from using Type 7 refrain from using Type 5 where necessary/possible and almost certainly try to implement Type 8 or Type 9 considering PBKDF2 is the recommended from NIST as per this I would edge towards using that over Type 9. Storing passwords with MD5 is not secure at all. In regards to Type 5 don't use it either. You should certainly not be using Type 7, it's awful. To sum up, should you use Type 7 or Type 5? The answer is no. Again a good resource for Scrypt is here. However, put simply Scrypt will be a lot more secure than Type 7 and Type 5 because it is again designed to be slow, which means computation time is a lot longer thus you'd like to think "more secure". In general, though I would say if you're using this on a customers network (customer being a client perhaps you sell networking solutions too) then where possible try to use Type 8.įinally you have Type 9 Scrypt whilst I cannot evaluate the security of this that well Scrypt appears to be in general "more secure than Bcrypt" the issue with it, is that it's a lot more recent so that obviously means it has had a lot less time to be looked at by crypto experts. Again this is all subjective to your Threat Model. In general it seems that PBKDF2 appears to be the standard for password storing as mentioned by Tom here it also appears to be the NIST recommended for storing passwords so if you have the option I would recommend Type 8 it's going to be infinitely more secure than Type 7 and significantly more secure than Type 5 so if you have the ability then use it. This becomes obvious when you generate an RSA key with 4096 bits on a Cisco switch. Type 8 is incredibly slow which can be a problem especially on a router, switch, etc this is because they don't use powerful CPUs, whilst a company like Cisco doesn't disclose specifically what CPUs they use it would be logical to say they're not extremely powerful for example in reality what a switch is doing isn't that intensive so they're not going to be using very powerful hardware. PBKDF2 is good due to the fact that's it is designed to be slow where MD5 isn't. In newer versions of Cisco's IOS, there are now Type 8 and Type 9 passwords. As I mentioned earlier there are actually other types. So should you use Type 5 it honestly depends on your threat-model but I would advise against it where possible. Ciscos implementation of MD5 uses a Salt however as mentioned here by Tom Leek, in reality, using Salt in MD5 doesn't make any difference because of speed. In essence, MD5 is fast, you can hash billions of passwords per second. MD5 isn't at all good for storing password see Is MD5 considered insecure? (I suggest reading both CodesInChaos's answer and Thomas Pornins answer below it) both answers are great and will tell you why you shouldn't store passwords in MD5. So what about Type 5 is that more secure? Yes, it's more secure, Is it good? Well for storing passwords, not really. A good website to see how Vigenère ciphers work is Crypto Corner. So where in a Ceaser you simply use a shift of three in a Vigenère cipher you shift with different values each time. What this essentially means is you take multiple Ceaser ciphers in sequence however you change the shift value each time. What you've not been told is why it's insecure - Type 7 uses the Vigenère cipher this cipher is now considered to be completely broken in-short this cipher usesĪ series of interwoven Caesar ciphers based on the letters of a keyword. The point is, it's easy to reverse, there is no security behind it whatsoever so please don't ever use it (unless you're just running labs). 1)Īs stated by the users here, there are "two" (I use speech marks here because there are actually more, some only feature on newer versions of code and certain products and I will talk about those later) but the two password types that are common are Type 7 and Type 5.Īs you've been told Type 7 is very easily cracked, in-fact with a quick Google search you can find a decrypter online as an example here is one I've used in the past. TL DR Don't use Type 7 refrain from using Type 5 where possible and almost always try to use Type 8 (Unfortunately Type 8 in the world of Cisco isn't always available on all devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |