Cisco devices can store passwords using either a reversible (Type 7) or non-reversible (Type 4 or 5, enabled by the “secret” keyword) encryption.
Reversible encryption has the ability to decrypt the stored password, which can then be compared to the password a user wishing to authenticate provides. Cisco Type 7 passwords are stored using reversible encryption. When you configure a password with “service password-encryption” enabled in the config, the device runs a calculation against the password, creating a string that contains the encrypted password. It is not a simple substitution cipher, but it is easily decrypted, and can even be decrypted on a router.
Non-reversible encryption is a little different. On IOS devices, if a password is configured on a device using Type 5 encryption using the “secret” keyword, (enable secret cisco, username fred secret wilma)* a salt value is added to the password, and then a hash is computed off the salt and password. Then, the hash is hashed, and the process repeated a thousand times. The password cannot be derived from the hash. The only way to retrieve the password would be to brute-force it, which the salting and hash iteration makes significantly more difficult.
When a user wishes to authenticate, the system takes the provided password, and runs the hashing algorithm against it, then compares the results with the stored password. If they match, the authentication is successful.
One problem with any hash solution is hash collision, where more than one starting value can produce the same hash value. This is a minimal concern when it comes to passwords, since the likelihood of encountering a colliding value that is not more complex than the correct password is infinitesimal.
The multiple hash iterations increase the time required to brute-force the password, since it multiplies the computation time per hash by 1000. The extra computation time is minimal when it needs to be done once, but has quite an impact when billions, trillions, or more hash values need to be calculated.
Type 7 passwords are intended for “over the shoulder” security, so that a password cannot be easily read by a person who casually sees the configuration. Where it can be used, Secret passwords are preferable.
Type 7 encryption is needed at times. Usernames/passwords used by CHAP need to be able to be decrypted, since CHAP relies on a shared secret. Other authentication strings, such as PPP PAP sent Usernames, routing protocol authentication, etc., use Type 7 passwords, since the passwords need to be able to by used by the router.
Type 4 Passwords were introduced to provide a more secure hashed password mechanism, by using the SHA256 hash algorithm. Unfortunately, it was implemented without the salting and iterative hashing used with Type 5 passwords, and wound up being less secure than Type 5 passwords. Cisco provided options for users that wanted to configure Type 5 passwords on devices supporting Type 4 encryption. Always make sure that passwords are converted to Type 5 if you are going to downgrade IOS versions to a version that does not support Type 4 encryption.
In this article we learned that Cisco devices support reversible (Type 7) encryption, and one-way (Type 4 or 5) encryption. Where it is possible, one-way hashes, created with the “secret” keyword, are the preferred encryption method. In some cases, the router needs access to the unencrypted string, and in these cases, Type 7 encryption must be used.
*I hope I don’t need to tell you never to use passwords this simple
Symmetric encryption may also be referred to as shared key or shared secret encryption. In symmetric encryption, a single key is used both to encrypt and decrypt traffic.