In case of type 0 passwords, no encryption or hashing is used, meaning that credentials are stored in plaintext.
Type 4 (deprecated since 2013) contains an implementation error that makes it weak in front of brute force attempts.
Type 7 passwords, the NSA says, are stored as encoded strings and should be considered obfuscated, rather than encrypted.
Type 5 and Type 9 passwords, the agency explains, are not NIST-approved. Introduced roughly 30 years ago,
Type 5 is relatively easy to brute-force and should only be used when type 6, 8, and 9 passwords are not available.
Meant to make password cracking highly expensive, type 9 hasn’t been “evaluated against NIST-approved standards” yet.
Type 6 passwords, which use a reversible 128-bit AES encryption algorithm, are difficult to crack and are more secure than type 7 passwords when the plaintext password is needed on the device.
The NSA says that type 6 should always be used for VPN keys, but recommends its use in other cases only if type 8 (and type 9) is not available.
Introduced with Cisco’s operating systems starting 2013, type 8 passwords offer strong protection, with no issues found in them, the NSA says. The passwords are hashed using PBKDF2, SHA-256, an 80-bit salt, and 20,000 iterations, and are stored as hashes within configuration files.
“NSA recommends that Type 8 passwords be enabled and used for all Cisco devices running software developed after 2013. Devices running software from before 2013 should be immediately updated. Type 6 passwords should be used when reversible encryption must be used,” the NSA says.
출처 : https://www.securityweek.com/nsa-provides-guidance-cisco-device-passwords
'IT Tech > Infra, 컴퓨터구조' 카테고리의 다른 글
| 리눅스 서버 백신 (0) | 2023.01.12 |
|---|---|
| 리눅스 명령어 (0) | 2022.12.09 |
| 윈도우 패치관리 시스템(SCCM) (0) | 2022.10.26 |
| AD 공격툴 (0) | 2022.09.29 |
| Active Directory 보안 (0) | 2022.09.29 |