report, the NSA received a ‘Very Good’ rating for its clear guidance on strong password practices and its explicit support for password manager use, which is a critical tool for both public and private sector security.
, offering specific recommendations for securing Cisco device credentials. The guidance outlines different Cisco password storage schemes and provides actionable recommendations for organizations looking to harden network infrastructure against credential compromise. These insights are especially timely given recent threats such as Volt Typhoon and ongoing reports of state-sponsored groups targeting router and switch misconfigurations to gain persistent access to enterprise and critical infrastructure networks.
Cisco offers a broad range of security tools designed to help organizations defend against evolving cyber threats while simplifying infrastructure protection. Its portfolio includes firewalls, intrusion prevention systems, advanced threat protection, and unified security operations aimed at safeguarding sensitive information and systems.
accompanying its Cisco Password Types: Best Practices information sheet, the NSA emphasized the stake:
“Cisco devices are used globally to secure network infrastructure devices… across the Department of Defense, National Security Systems, and the Defense Industrial Base…any credentials within Cisco configuration files could be at risk of compromise if strong password types are not used.”
to a rise in network infrastructure compromises, in which adversaries obtained hashed passwords and other sensitive data from misconfigured or insufficiently protected Cisco devices. To address these risks, the NSA evaluated Cisco’s available password hashing and encryption schemes, assessing each one for “difficulty to crack and recover the plaintext password, their vulnerability severity, and the agency’s recommendations for use.”
The high-level table in the document summarizes these password types alongside impact levels and recommended usage, giving system administrators clear, actionable direction.
In its analysis, the NSA highlights just one Cisco password type as recommended for secure use: Type 8. Before diving into the technical details, the agency underscores the importance of
guidance. As a key authority on federal cybersecurity standards, NIST has published risk management frameworks, identity authentication guidelines, and password security best practices. The agency received a ‘Very Good’ rating in the Bitwarden
Returning to the NSA’s evaluation of Cisco password types, here is the agency’s assessment of Type 8, quoted directly from the information sheet:
Type 8 passwords are hashed with the PasswordBased Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt, and 20,000 iterations, which makes it more secure in comparison to the previous password types. The passwords are stored as hashes within the configuration file. Type 8 is less resource intensive than Type 9 passwords. No known issues have been found regarding Type 8 passwords. NSA recommends using Type 8.
In simpler terms, Type 8 stands out because it relies on advanced hashing techniques that convert plaintext passwords into a string of “
The NSA also reminds administrators that strong password creation is essential regardless of the encryption method. Recommendations include using at least 15 characters, combining numbers, letters, and symbols, avoiding predictable patterns, and assigning privileges based on user roles.
For a deeper dive into federal password guidance, visit the
