The U.S. National Security Agency (NSA) has recently issued guidance on the use of passwords to secure Cisco devices. Cisco devices are extensively used to secure network infrastructure devices and Cisco devices are often targeted by cyber threat actors. There have been cases where cyber threat actors have gained access to the configuration files and have used the information in those files to compromise network devices. Configuration files contain the settings that control the behavior of the device, information that is used to direct network traffic, and they store pre-shared keys and user authentication information.
It is possible for Cisco devices to have a plaintext configuration file; however, Cisco devices use several different password hashing and encryption methods to secure the passwords stored in configuration files. It is important that the devices are configured correctly and care is taken selecting the right password and hashing options. There have been cases where configuration files have been protected with passwords and passwords in the configuration files have been hashed, but plaintext passwords were still obtained as the hashes used were insecure and reversible.
Hashing uses a one-way algorithm that makes reversing the process to obtain the original string difficult. A random salt is often added to the password prior to hashing to make it even harder to obtain the original string. If a salted hash of a strong password is obtained by a cyber threat actor, it would be of little use as it will be difficult to reverse the salting and hashing process to obtain the original password. Passwords can also be encrypted and require a key to decrypt them back into plaintext.
“When configuration files are not properly protected, Cisco devices that are configured to use a weak password protection algorithm do not adequately secure the credentials. This can lead to compromised devices, and potentially to compromised entire networks,” explained the NSA. “When the configuration file displays on the Command Line Interface, or if it is copied from the device, the user sees the protected form of the password with a number next to it. The number indicates the type of algorithm used to secure the password. The password protection types for Cisco devices are 0, 4, 5, 6, 7, 8, and 9.”
The NSA has made recommendations on the password types to use, as some can be cracked immediately and others are relatively easy for cyber threat actors to obtain, as detailed in the table below.
It is also important to ensure that strong passwords are set in accordance with the latest NIST password guidelines, never to send router configuration files via email even if they contain hashed passwords, never reuse passwords that have been used elsewhere, and ensure multi-factor authentication is implemented as the use of passwords alone increases the risk of device exploitation.