Downloads |
Table Of Contents
Enhanced Password Security - Phase I
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Configuring Enhanced Security Password
Verifying MD5 Password Encryption
Monitoring and Maintaining Enhanced Password Security
Configuring MD5 Encryption on a Clear Text Password Example
Configuring MD5 Encryption on a MD5 Encrypted Text String Example
Enhanced Password Security - Phase I
Feature History
12.0(18)S
This feature was introduced.
12.1(8a)E
Support for this feature was integrated into Cisco IOS Release 12.1(8a)E.
12.2(14)S
This feature was integrated into Cisco IOS Release 12.2(14)S.
This document describes the Enhanced Password Security feature in Cisco IOS Release 12.1(8a)E. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
Using the Enhanced Password Security feature, you can configure MD5 encryption for username passwords. Before the introduction of this feature there were two types of passwords associated with usernames. Type 0 is a clear text password visible to any user who has access to privileged mode on the router. Type 7 is a password with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the encrypted text by using publicly available tools.
MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear text passwords. MD5 encrypted passwords cannot be used with protocols that require that the clear text password be retrievable, such as Challenge Handshake Authentication Protocol (CHAP).
Use the username (secret) command to configure a user name and an associated MD5 encrypted secret.
Benefits
Enhanced Password Security provides a strong method of encryption for user passwords.
Restrictions
•
•
Related Features and Technologies
To establish a username-based authentication system, use the username command in global configuration mode. See Passwords and Privileges Commands for more details.
Related Documents
•
•
•
•
Supported Platforms
•
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
The following section details the configuration task necessary for the Enhanced Password Security feature.
•
Configuring Enhanced Security Password
Verifying MD5 Password Encryption
Follow the steps below to verify MD5 encryption on a username password:
Step 1
Step 2
Step 3
Monitoring and Maintaining Enhanced Password Security
Use the following command to monitor and maintain Enhanced Password Security.
Configuration Examples
This section provides the following configuration example:
•
Configuring MD5 Encryption on a Clear Text Password Example
The following example configures username "abc" with the MD5 encrypted password "xyz". Output from the show running-config confirms that the MD5 encrypted password has been configured. Note that the password itself is not displayed.
Router# configure terminalRouter(config)# username abc secret 0 xyzRouter(config)# exitRouter# show running-config!version 12.1no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname CE!logging rate-limit console 10 except errorsno logging consoleenable secret 0 $1$53Ew$Dp8.E4JGpg7rKxQa49BF9/!username abc secret 5 $1$fBYK$rH5/OChyx/ !--Note that password `xyz' is not displayed.ip subnet-zero...Configuring MD5 Encryption on a MD5 Encrypted Text String Example
The following example configures username "cde" and enters an MD5 encryption text string as the user password. Output from the show running-config confirms that the MD5 encrypted password has been configured. Note that the password itself is not displayed.
Router# configure terminalRouter(config)# username cde secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0Router(config)# exitRouter# show running-config!version 12.1no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname CE!logging rate-limit console 10 except errorsno logging consoleenable secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0!username cde secret 5!ip subnet-zero...Command Reference
This section documents the modified command that configures the Enhanced Password Security feature. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
username (secret)
To encrypt a user password with MD5 encryption, use the username secret command in global configuration mode.
username name secret {0 password | 5 encrypted-secret}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the username secret command to configure a user name and MD5 encrypted user password.Use the 0 keyword to enable MD5 encryption on a clear text password. Use the 5 keyword to enter an MD5 encryption string and save it as the userMD5 encrypted secret. MD5 encryption is a strong encryption method which is not retrievable. You cannot use MD5 encryption with protocols such as CHAP that require clear-text passwords.
Use the username secret command to provide an additional layer of security over the username password. The username secret command provides better security by encrypting the password using non-reversible MD5 encryption, and storing the encrypted text. The added layer of MD5 encryption is useful in environments where the password crosses the network or is stored on a TFTP server.
Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file.
Caution
If you use the same password for the enable password and username secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the username secret command provides.
Examples
The following example configures username "abc" and enables MD5 encryption on the clear text password "xyz":
username abc secret 0 xyzThe following example configures username "cde" and enters an MD5 encrypted text string that is stored as the user name password:
username cde secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0Related Commands
Glossary
CHAP—Challenge-Handshake Authentication Protocol
MD5—Message Digest 5. Algorithm used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
