Use Type 6, Type 8 and Type 9 wherever possible.
Type 0, Type 5 and Type 7 should be migrated to other stronger methods.
Type 5
These use a salted MD5 hashing algorithm. These should only be used if Type 6, 8, or 9 is not available on the IOS version you are running. Attempting to use Type 5 in modern IOS XE will throw an error as these will be depreciated soon. In the running config these start with $5$.
Type 9
These use the SCRYPT hashing algorithm defined in the informational RFC 7914. SCRYPT uses 80-bit salt, 16384 iterations. It’s very memory expensive to run the algorithm and therefore difficult to crack. Running it once occasionally on a Cisco device is fine though, this is currently the Best Practice Type password to use. I have not proven it but I believe it is possible that the popular tool HashCat is able to decrypt these.
In the running config standard Type 9 start with $9$.
In the running config convoluted Type 9 start with $14$.
https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238
Guys, the question is asking for a strongest password for authentication, what if the hash from option A and B are actually generated using a weak password, for example P@ssw0rd?
Type 9, SCRYPT, would still be the best option. The encrypted hash should not be reversible and would be considered ever more difficult to decrypt than any type of encrytion <9.
the main difference between the "secret 9 password" and "algorithm-type scrypt password" commands is the level of security they provide. The "secret 9 password" command uses a less secure proprietary Cisco algorithm, while the "algorithm-type scrypt password" command uses the more secure scrypt PBKDF.
tested also type 5, the command is valid:
WS-C3850-12XS-S(config)#username netadmin secret 5 $1$b1Ju$kZbBS1Pyh4QzwXyZ1kSZ2
WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords which are considered weak are now deprecated.
WARNING: Auto-converting the entered Type 5 password to Type 9
WS-C3850-12XS-S(config)#do sh run | i netadmin
username netadmin secret 9 $14$b1Ju$BuhIOqQnewWV5E$QuBZz19ZPY.R8lQwGGGrWe2zWRmB/h0GdTnbaVkNi82
well I'm not sure which is the best answer, maybe to type it without encryption. 9 is the best algorithm to hash the text, but the command is not valid. Tested on real device:
WS-C3850-12XS-S(config)#username netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDAx1uV
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
I agree that secret 9 is stronger but the key inserted is too short for that SCRYPT hashed secret.
look at real example :
IOU1(config)#username netadmin secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a MD5 HASHED secret will follow
8 Specifies a PBKDF2 HASHED secret will follow
9 Specifies a SCRYPT HASHED secret will follow
LINE The UNENCRYPTED (cleartext) user secret
IOU1(config)#username netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDAx1uV
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 9 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.
IOU1(config)#username netadmin secret 5 $1$b1Ju$kZbBS1Pyh4QzwXyZ1kSZ2
IOU1(config)#username netadmin secret $1$b1Ju$k406689705QzwXyZ1kSZ2
% Invalid Password length - must contain 1 to 25 characters. Password configuration failed
instead they should have put something like this :
username netadmin secret 9 $9$nP4LWiOwGSowps$JGbyH6R1Em6K/OBksVrHKaD.RCTYZGXEYIoTO7CQUyk
that would have worked and that would have been the correct answer.
so here the only acceptable solution is A SECRET 5
Answer B
Unfortunatly type 9 is not available on all (especially older) Cisco platforms, but recommendation is to use it when available.
https://community.cisco.com/t5/networking-documents/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238
Sorry this is wrong, it depends on the router . i tried on another router and it does exist.
0 Specifies an UNENCRYPTED password will follow
5 Specifies that MD5 encrypted password will follow
8 Specifies that SHA-256 encrypted password will follow
9 Specifies that scrypt encrypted password will follow <--
LINE The UNENCRYPTED (cleartext) user password
Sorry this is wrong, it depends on the router . i tried on another router and it does exist.
0 Specifies an UNENCRYPTED password will follow
5 Specifies that MD5 encrypted password will follow
8 Specifies that SHA-256 encrypted password will follow
9 Specifies that scrypt encrypted password will follow <--
LINE The UNENCRYPTED (cleartext) user password
This section is not available anymore. Please use the main Exam Page.350-401 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
4 months, 3 weeks agoCKL_SG
1 year, 4 months agoEddyyin
1 year, 6 months agoAlondrix
12 months agoAsymptote
1 year, 9 months agokewokil120
1 year, 9 months agoNormanby
1 year, 11 months agoH3kerman
1 year, 11 months agoH3kerman
1 year, 11 months agoshubhambala
2 years agoredgi0
2 years, 2 months agoredgi0
2 years, 2 months agosnowfox
2 years, 2 months agobabaKazoo
2 years, 3 months agodanny_f
2 years, 5 months agohennel
2 years, 5 months agobara_ken
2 years, 5 months agodeech
2 years, 5 months agofascool
2 years, 5 months agofascool
2 years, 5 months agofascool
2 years, 5 months ago