Pages

Tuesday, 8 May 2012

Configure MD5 encrypted passwords for users on Cisco IOS

Configure MD5 encrypted passwords for users on Cisco IOS




The enhanced password security in Cisco IOS introduced in 12.0(18)S allows an admin to configure MD5 encryption for passwords. Prior to this feature the encryption level on Type 7 passwords used a week encryption and can be cracked easily and the clear text password (type 0) as anyone would know is completely insecure. Anyone who can gain access to the privilege mode can view/decrypt these passwords.

To configure enhanced password security, create a user with MD5 password encryption as follows from the Global configuration mode:

MD5 Encryption on clear text password:
You can enter a clear text password which will be encrypted using MD5 algorithm



ciscorouter(config)# username ciscoadmin secret ciscopass

where ciscoadmin is the user and his clear text password "ciscopass" which will then be converted into a MD5 encrypted text.
This is equivalent to


ciscorouter(config)# username ciscoadmin secret 0 ciscopass

where "0" [default] indicates MD5 encryption on a clear text password.

MD5 encrypted text as password
To enter an MD5 encrypted password instead of a clear text password


ciscorouter(config)# username ciscoadmin secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0
where "5" indicates the entered password is a MD5 encrypted text.

To verify the logins with MD5 encryption,
Clear Text password


ciscorouter# show running-config
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ciscorouter
!
logging rate-limit console 10 except errors
no logging console
enable secret 0 $1$53Ew$Dp8.E4JGpg7rKxQa49BF9/
!
username ciscoadmin secret 5 $1$fBYK$rH5/OChyx/!





MD5 encrypted text entered as password

ciscorouter# show running-config
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ciscorouter
!
logging rate-limit console 10 except errors
no logging console
enable secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0
!
username ciscoadmin secret 5!
ip subnet-zero

Here the MD5 encrypted password entered itself is not displayed against the username.

No comments:

Post a Comment