informa

NSA Issues Guidance for Selecting Strong Cisco Password Types

Poorly protected passwords in device configuration files present a risk of compromise, agency says.

The US National Security Agency (NSA) has issued fresh guidance for organizations on selecting strong passwords for Cisco devices, citing an increase in the number of compromises involving poorly protected network infrastructure.

The NSA offered no explanation for the timing of its guidance, so it was not immediately clear whether its password recommendations were prompted by heightened concerns in the US over Russian cyberattacks or by more generalized fears of poorly protected Cisco devices on critical federal agency networks and elsewhere.

Just this week, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about Russia-backed threat actors stealing sensitive data from private organizations and contractors in the US defense industrial base. The CISA warning followed an advisory from the agency a couple of days before, urging US organizations to assume a "shields up" stance in preparation for potential Russian cyberattacks.

"While the timing of the announcement may be tied to an increased threat from Russian-based state or state-sponsored attackers, it’s possible there are other concerns about threat actors leveraging weak passwords on Cisco devices that triggered this notice," says Mike Parkin, engineer at Vulcan Cyber.

The NSA's latest guidance notes the different hashing and encryption algorithms available to administrators for protecting passwords stored within Cisco router configurations. The configuration file contains settings for controlling device behavior and determining how traffic is directed within a network. It also stores authentication information and preshared keys, the NSA said. When organizations use weak passwords and insecure, easily reversible hashes, attackers can — and have been able to — retrieve passwords from device configuration files and use them to compromise the device and entire networks, the agency noted.

The guidance notes the numbering system that Cisco uses to indicate the different algorithm types that the vendor makes available to organizations for securing passwords in device configuration files. According to the NSA, organizations should not use any algorithm other than Type 8 for securing passwords and Type 6 for protecting VPN keys. The agency described Type 8 passwords as using a specific key derivative function (PasswordBased Key Derivation Function version 2), SHA-256-bit encryption, and salting that make it stronger compared with the other password types supported on Cisco devices. Type 8 passwords are also less resource-intensive than Type 9 passwords, and there have been no known issues linked to it so far, the NSA said.

The NSA recommends that organizations use Type 6 passwords for protecting VPN keys. "Type 6 is more secure than Type 7 for cases where the device needs the plaintext password, such as for use as virtual private network (VPN) keys," the agency stated. 

Its guidance specifically warns organizations not to use Type 0, Type 4, and Type 7 algorithms, describing them as being easy to crack. The two other algorithms — Type 5 and Type 9 — have not been approved for use by the National Institute of Standards and Technology (NIST). NSA's guidance acknowledges that Type 9 passwords, available with Cisco operating systems after 2013, are designed to be difficult to crack and require attackers to have a significant amount of hardware resources to do it. But since NIST has not evaluated it, the hashing algorithm is not recommended or approved for use on national security systems, the agency said.

"For enterprises utilizing Cisco devices, NSA highly recommends using strong, approved cryptographic algorithms that will protect the password within the configuration file," NSA said. "Password exposure due to a weak algorithm may allow for elevated privileges, which, in turn, can lead to a compromised network."

Parkin from Vulcan Cyber says there's really no excuse for organizations to allow weak passwords anywhere in the environment. "As the cost of compute and memory has come down, the effort needed to brute-force passwords has come down with it, meaning attackers can easily exploit them," he says.

Editors' Choice
Robert Lemos, Contributing Writer, Dark Reading
Robert Lemos, Contributing Writer, Dark Reading
Dark Reading Staff, Dark Reading
Jai Vijayan, Contributing Writer, Dark Reading