setting strong encrypted passwords configuring password
play

Setting Strong Encrypted Passwords Configuring Password Encryption - PowerPoint PPT Presentation

Sep 08, 2022 •206 likes •354 views

Setting Strong Encrypted Passwords Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions,

  1. Setting Strong Encrypted Passwords

  2. Configuring Password Encryption for Clear Text Passwords Cisco IOS stores passwords in clear text in network device configuration files for several features such as passwords for local and remote CLI sessions, and passwords for neighbor authentication for routing protocols. Clear text passwords are a security risk because anybody with access to archived copies of the configuration files can discover the passwords that are stored as clear text. The service password-encryption command can be used to encrypt clear text commands in the configuration files of networking devices.

  3. Passwords On Cisco Devices You can configure passwords to protect access to many different aspects of IOS. Some common access passwords are: Console Password: line con 0 password PACKETLABCON VTY Password: line vty 0 4 password PACKETLABVTY AUX Password: line aux 0 password PACKETLABAUX Enable Password: enable password PACKETLAB Enable Secret Password: enable secret packetlab Local Username Database: username packetlab password PACKETLAB

  4. Passwords On Cisco Devices Some other Cisco IOS passwords (there are a ton more): OSPF authentication-key: interface Serial0/0 ip address 10.1.12.1 255.255.255.0 ip ospf authentication-key OSPFPASS BGP (neighbor) Password: router bgp 100 neighbor 2.2.2.2 remote-as 100 neighbor 2.2.2.2 password BGPPASS Key Chains: key chain OSPFCHAIN key 1 key-string KEYSTRING

  5. Passwords On Cisco Devices By default, all passwords (with the exception of ‘secret passwords’ which are discussed later) are stored in the running configuration in cleartext: enable password PACKETLAB username packetlab password 0 PACKETLAB ! key chain OSPFCHAIN key 1 key-string KEYSTRING ! interface Serial0/0 ip ospf authentication-key OSPFPASS ! router bgp 100 neighbor 2.2.2.2 password BGPPASS ! line con 0 password PACKETLABCON line aux 0 password PACKETLABAUX line vty 0 4 password PACKETLABVTY

  6. ‘service password - encryption’ Command service password-encryption To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command. service password-encryption no service password-encryption Usage Guidelines The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file. When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered. Caution This command does not provide a high level of network security. If you use this command, you should also take additional network security measures. Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.

  7. ‘service password - encryption’ Command Before configuring ‘service password - encryption’: After configuring ‘service password - encryption’: enable password PACKETLAB enable password 7 053B272C0A697A253827 username packetlab password 0 PACKETLAB username packetlab password 7 097C6F2A3220233E2A2E ! ! key chain OSPFCHAIN key chain OSPFCHAIN key 1 key 1 key-string KEYSTRING key-string 7 0520233612787C203722 ! ! interface Serial0/0 interface Serial0/0 ip ospf authentication-key OSPFPASS ip ospf authentication-key 7 0474383629116D7D3A ! ! router bgp 100 router bgp 100 neighbor 2.2.2.2 password BGPPASS neighbor 2.2.2.2 password 7 106C2E2935362138 ! ! line con 0 line con 0 password PACKETLABCON password 7 03347A282D2A15606F2B3A2A39 line aux 0 line aux 0 password PACKETLABAUX password 7 113938263C373F2025080A1110 line vty 0 4 line vty 0 4 password PACKETLABVTY password 7 046B2A2524047862283B33232B

  8. What does 0, 5, 7 mean? 0 - Specifies that an unencrypted password follows (cleartext). 5 - Specifies that a hidden secret follows (MD5 encryption). 7 - Specifies that a hidden password follows (Vigenère cipher encryption*). Type 0 passwords are stored in cleartext. This is the default. Once service password-encryption has been enabled, IOS converts all Type 0 passwords into Type 7 (Vigenère cipher encryption*). This encryption is easily broken (as we’ll soon see) but it prevents ‘over -the- shoulder’ password theft. MD5 is a very secure (although technically broken) encryption method. MD5 is used whenever you specify a ‘secret’ password. username packetlab password 0 packetlab username packetlab password 7 097C6F2A3220233E2A2E username packetsecret secret 5 $1$KVpy$JhrCgVprm1FGWWLPABaAN/ * Not technically ‘encryption’ as there is no encryption key. If you want to be technically correct, the Cisco Vigenère cipher algorithm obfuscates a password. Let’s not even explore the hashing versus encrypting argument. 

  9. What does 0, 5, 7 mean? When entering configuring a password, do not use 5 or 7 unless you are pasting in an already encrypted password (generally from a saved configuration): r1(config)# username FAKEUSER password ? 0 Specifies an UNENCRYPTED password will follow 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) user password r1(config)#username FAKEUSER password 7 DONOTDOTHIS Invalid encrypted password: DONOTDOTHIS r1(config)#username FAKEUSER password 5 DONOTDOTHIS ERROR: Can not use MD5 secrets for passwords. Use "username FAKEUSER secret" instead. r1(config)# username FAKEUSER secret ? 0 Specifies an UNENCRYPTED secret will follow 5 Specifies a HIDDEN secret will follow LINE The UNENCRYPTED (cleartext) user secret r1(config)#username FAKEUSER secret 5 DONOTDOTHIS ERROR: The secret you entered is not a valid encrypted secret. To enter an UNENCRYPTED secret, do not specify type 5 encryption. When you properly enter an UNENCRYPTED secret, it will be encrypted.

  10. Decrypting Cisco Type 7 Passwords line con 0 password 7 03347A282D2A15606F2B3A2A39

  11. Decrypting Cisco Type 7 Passwords It’s probably not a good idea to use online type 7 password decryption for your corporate passwords as you never know what the code behind the page might be doing. There’s a trick you can do on your Cisco device to decode Type 7 passwords: 1) Create a key chain: r1(config)#key chain DECRYPT7 r1(config-keychain)#key 1 2) Paste in the Type 7 password (make sure to include the ‘7’) as the key -string value: r1(config-keychain-key)#key-string 7 03347A282D2A15606F2B3A2A39 3) From privileged EXEC mode, issue the show key chain command: r1#show key chain DECRYPT7 Key-chain DECRYPT7: key 1 -- text "PACKETLABCON" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] 4) (Optional) Delete key chain after decryption completed: r1(config)#no key chain DECRYPT7

  12. ‘no service password - encryption’ Command One thing to note is that issuing the no password-encryption command does NOT decrypt the already encrypted passwords: r3#sh run | i pass no service password-encryption username packetlab password 0 packetlab username vendor privilege 15 one-time password 0 cisco r3(config)# service password-encryption r3(config)#do sh run | i pass service password-encryption username packetlab password 7 06160E22474B1D150415 username vendor privilege 15 one-time password 7 060506324F41 r3(config)#no service password-encryption r3(config)#do sh run | i pass no service password-encryption username packetlab password 7 06160E22474B1D150415 username vendor privilege 15 one-time password 7 060506324F41 r3(config)#username packetlab2 password PACKETLAB2 r3(config)#do sh run | i pass no service password-encryption username packetlab password 7 06160E22474B1D150415 username vendor privilege 15 one-time password 7 060506324F41 username packetlab2 password 0 PACKETLAB2

  13. Summary There are a number of different Cisco IOS features that use passwords. By default, Cisco IOS stores all password values (except those specified as ‘secret’) in the configuration as cleartext. This is a security issue as anyone can do an ‘over -the- shoulder’ attack when passwords are not encrypted. By enabling the service password-encryption global configuration command, Cisco IOS obfuscates all cleartext passwords (Type 0) with a Vigenère cipher (Type 7). While Type 7 passwords are easily decrypted, this feature greatly reduces the effectiveness of the ‘over -the- shoulder’ attack. Certain passwords allow you the option to designate them as ‘secret’ passwords. The best known example of this is the enable secret password. Cisco IOS stores secret passwords in the form of an MD5 hash. (Type 5). While MD5 can technically be cracked, it’s not something that can be done easily (if at all). Type 5 passwords are very secure. You can quickly tell whether a password is stored in cleartext (Type 0), MD5 hash (Type 5), or Vigenère cipher (Type 7) by looking at the number that precedes the password when viewing the configuration.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
access-list 103 remark VTY Telnet Access ACL access-list 103 permit tcp host <IP address>

access-list 103 remark VTY Telnet Access ACL access-list 103 permit tcp host <IP address>

Router Device Security Lab Configuring Secure Passwords 1. Configure the enable secret and password enable password TRUSTME enable secret letmein Look at the configuration: show config terminal Note the difference between the number 5 and

375 views • 5 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE.

OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE.

The purpose of todays presentation is to provide tools in ARTS to help monitor activity within your office. OVMCS Accounting 2 OVMCS - Accounting Passwords Do not give out your password to ANYONE. Do not publicly post passwords.

332 views • 29 slides
Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords

Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords

Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords Xavier Boyen 1 Cline Chevalier 2 Georg Fuchsbauer 3

680 views • 36 slides
STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A

STUDENT PASSWORDS GUI DEL I NES FOR 2 0 1 9 -2 020 S T U D E N T S , U P D A T E Y O U R P A S S W O R D F R O M H O M E ! Students: Update your password this summer from home! Student passwords were reset on 7/3/2019. Please follow the

525 views • 14 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw

OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw

OPAQUE: A Strong Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks Stanislaw Jarecki, Hugo Krawczyk, Jiayu Xu Motivation: Password Authentication Passwords are the prevalent tool for authentication Passwords are vulnerable

481 views • 22 slides
iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure

iCLOUD KEYCHAIN WHAT IS KEYCHAIN? Ability to store encrypted passwords in a way that is secure and easy to access. TOTAL RECALL BENEFITS Keychain & Safari are integral to Apples operating systems. (IOS for iPad/iPhone and OS X for

442 views • 9 slides
Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by

Honeywords Making Password-Cracking Detectable By Ari Juels and Ronald L. Rivest Presented by Nunzio Cicone and Hans-Peter Hllwirth Setting Password Attacks Passwords are a notoriously weak authentication mechanism One significant

422 views • 20 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of security Can easily be the weakest link Set standards for: Creation of strong passwords Password protection Frequency of

202 views • 6 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
How to (not) Share a Password: Privacy preserving protocols for finding heavy vy hit itters

How to (not) Share a Password: Privacy preserving protocols for finding heavy vy hit itters

How to (not) Share a Password: Privacy preserving protocols for finding heavy vy hit itters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords First

747 views • 60 slides
Routing Computer Center, CS, NCTU Dynamic Route Routing Protocol 2 Computer Center, CS,

Routing Computer Center, CS, NCTU Dynamic Route Routing Protocol 2 Computer Center, CS,

Routing Computer Center, CS, NCTU Dynamic Route Routing Protocol 2 Computer Center, CS, NCTU Why dynamic route ? (1) Static route is ok only when Network is small There is a single connection point to other network No

757 views • 41 slides
the evolution of collective intelligence adventures in information sharing wesyoung.me Monday,

the evolution of collective intelligence adventures in information sharing wesyoung.me Monday,

the evolution of collective intelligence adventures in information sharing wesyoung.me Monday, May 21, 12 zombie hunting, the survival guide What is the REN-ISAC? Who do we work with? Why should I care? Challenges the

506 views • 24 slides
TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) Network Security Lecture 2 Any questions

TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) Network Security Lecture 2 Any questions

TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) Network Security Lecture 2 Any questions on Administrativia, organizational matters? Historical/cultural overview? Eike Ritter Network Security - Lecture 2 1 Today PGP in 6

431 views • 42 slides
1 IP Addressing: introduction IP networks 223.1.1.1 223.1.1.1 IP address: 32-bit Address has

1 IP Addressing: introduction IP networks 223.1.1.1 223.1.1.1 IP address: 32-bit Address has

IP overview Internet Protocol Service model Addressing Forwarding (Routing later) 9/29/06 CS/ECE 438 - UIUC, Fall 2006 1 9/29/06 CS/ECE 438 - UIUC, Fall 2006 2 Layer reminder IP service model Bridges - emulate single link

602 views • 7 slides
Undo-Redo Principles, concepts Undo patterns Java implementation Undo 1 Undo* Benefits

Undo-Redo Principles, concepts Undo patterns Java implementation Undo 1 Undo* Benefits

Undo-Redo Principles, concepts Undo patterns Java implementation Undo 1 Undo* Benefits Undo lets you recover from errors - input errors (human) and interpretation errors (computer) - you can work quickly (without fear) Undo enables

541 views • 27 slides
Short Paper: WifiLeaks: Underestimated Privacy Implications of the ACCESS WIFI STATE Android

Short Paper: WifiLeaks: Underestimated Privacy Implications of the ACCESS WIFI STATE Android

Introduction User Survey Application Analysis Potential Solution and Conclusion Short Paper: WifiLeaks: Underestimated Privacy Implications of the ACCESS WIFI STATE Android Permission Jagdish Prasad Achara, Mathieu Cunche, Vincent Roca, and

714 views • 43 slides
Mainframes: The past will come back to haunt you By:

Mainframes: The past will come back to haunt you By:

Mainframes: The past will come back to haunt you By: Philip Soldier of Fortran Young Disclaimer Any views expressed in this talk are my own

1.21k views • 90 slides
Digital Object Memories for the Web of Things Dr.-Ing. Jens Haupert German Research Center for

Digital Object Memories for the Web of Things Dr.-Ing. Jens Haupert German Research Center for

Digital Object Memories for the Web of Things Dr.-Ing. Jens Haupert German Research Center for Artificial Intelligence (DFKI) Web of Things Workshop, June 25 th 2013 Sample Scenario Linking: Physical Object and Object Memory * Order *

880 views • 39 slides

More recommend