Understanding a Federal Agency's Recommendations for Cisco Password Types
As one of the federal government’s foremost experts in cybersecurity and signals intelligence, the National Security Agency (NSA) stays at the forefront of IT security best practices. While it would be ideal for the NSA to call out and emphasize the importance of password managers, the agency still receives a ‘Good’ rating in the Bitwarden publication State of Password Security: a report and assessment of security advice from U.S. federal agencies for their proactive approach to security education.
On February 17, the NSA took another step in the right direction with the release of its Cisco Password Types: Best Practices information sheet. In a nutshell, the information sheet walks through the primary Cisco password security schemes and provides recommendations for securing sensitive credentials.
According to the NSA press release about the information sheet:
“Cisco devices are used globally to secure network infrastructure devices, including across the Department of Defense, National Security Systems, and the Defense Industrial Base…any credentials within Cisco configuration files could be at risk of compromise if strong password types are not used.”
The information sheet was precipitated by what the NSA calls a “rise in the number of compromises of network infrastructures in recent years” due to cyber adversaries obtaining “hashed password values and other sensitive information from network infrastructure configuration files.”
The information sheet notes that Cisco offers a variety of password hashing and encryption schemes - and sets out to evaluate each of them by reviewing their “difficulty to crack and recover the plaintext password, their vulnerability severity, and the agency’s recommendations for use.”
The high-level takeaway table shows types, impact, and recommendations.
Image credit: NSA
As you can see, only one - Cisco password type 8 - is recommended for use by the NSA. Before going into further detail about that, a quick segue: the NSA makes a point of highlighting NIST (National Institute of Standards and Technology) approval because NIST is the standard-bearer for federal government security advice. Over the years, it has developed risk management frameworks, identity guidelines, and is thoroughly up-to-speed on password security. You can find out more about NIST and it's ‘Very Good’ rating in the Bitwarden State of Password Security report.
Back to Cisco password type 8 and why it comes out on top - verbatim language from the information sheet:
Type 8 passwords are hashed with the PasswordBased Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt, and 20,000 iterations, which makes it more secure in comparison to the previous password types. The passwords are stored as hashes within the configuration file. Type 8 is less resource intensive than Type 9 passwords. No known issues have been found regarding Type 8 passwords. NSA recommends using Type 8.
In layman’s terms, the NSA is recommending type 8 passwords because they are hashed (the act of turning plaintext passwords into an ‘unintelligible series of numbers and letters’; see image from Okta below) with the most secure encryption algorithms available.
Image credit: Okta
Besides recommending type 8, the information sheet also emphasizes using strong passwords from the get-go. This includes a combination of numbers, letters, and symbols; at least 15 characters; and avoiding certain patterns, such as keyboard walks, those related to the organization, or those that are easy to guess. Additionally, it cites the importance of applying privileged levels to user accounts based on user roles.
For more on NSA security advisories and guidance, visit the NSA library. If you’re interested in staying on top of federal government password security advice, you can also check out the Bitwarden State of Password Security report.
If you’d like to get started securing your passwords today, sign up for a Bitwarden Basic Free Account or a free 7-day trial of our business plans to empower your company with secure password management.