Passwords are the core of Cisco routers’ access control methods. Chapter 3 addressed basic access control and using passwords locally and from access control servers. This chapter talks about how Cisco routers store passwords, how important it is that the passwords chosen are strong passwords, and how to make sure that your routers use the most secure methods for storing and handling passwords. It then discusses privilege levels and how to implement them. | Page 32 Friday February 15 2002 2 53 PM CHAPTER 4 Passwords and Privilege Levels Passwords are the core of Cisco routers access control methods. Chapter 3 addressed basic access control and using passwords locally and from access control servers. This chapter talks about how Cisco routers store passwords how important it is that the passwords chosen are strong passwords and how to make sure that your routers use the most secure methods for storing and handling passwords. It then discusses privilege levels and how to implement them. Password Encryption Cisco routers have three methods of representing passwords in the configuration file. From weakest to strongest they include clear text Vigenere encryption and MD5 hash algorithm. Clear-text passwords are represented in human-readable format. Both the Vigenere and MD5 encryption methods obscure passwords but each has its own strengths and weaknesses. Vigenere Versus MD5 The main difference between Vigenere and MD5 is that Vigenere is reversible while MD5 is not. Being reversible makes it easier for an attacker to break the encryption and obtain the passwords. Being unreversible means that an attacker must use much slower brute force guessing attacks in an attempt to obtain the passwords. Ideally all router passwords would use strong MD5 encryption but the way certain protocols such as CHAP and PAP work routers must be able to decode the original password to perform authentication. This need to decode specific passwords means that Cisco routers will continue to use reversible encryption for some pass-words at least until such authentication protocols are rewritten or replaced. 32 Page 33 Friday February 15 2002 2 53 PM Clear-Text Passwords Chapter 3 sets passwords using line passwords local username passwords and the enable secret command. A show run provides the following enable secret 5 1 Guks Ct2 uAcSKHkcxNKyavE1i1 enable password enable-password username jdoe password 0 jdoe-password username