Generate SHA256 hashes with IOS IOS-XE

← Creating Name Based Virtual Hosts | posts | Convert IOS to CSV →

As I have been working with IOS or IOS-XE devices over the years there have been always new methods added on howto add a username and secret to the running configuration. The last new secrets that have proved insecure has been the cisco type 4 secret. It took around 1 year to prove that this type of hash has been cracked.

At these days one should at least use SHA256 hashes, or even better SHA512. Bruce Schneier suggests to use Twofish.

On the IOS CLI I have discovered new way to generate SHA256 hashes or SCRYPT. I would not suggest to use SCYPT but it is sure better than a TYPE7 crypted password. So everyone should choose its poison.

Here an example on how to generate a descent encrypted password hash:

R1(config)#username test algorithm-type ?
  md5     Encode the password using the MD5 algorithm
  scrypt  Encode the password using the SCRYPT hashing algorithm
  sha256  Encode the password using the PBKDF2 hashing algorithm

R1(config)#username test algorithm-type sha256 ? 
  secret  Specify the secret for the user

R1(config)#username test algorithm-type sha256 secret ?
  LINE  The UNENCRYPTED (cleartext) secret for the user

R1(config)#username test algorithm-type sha256 secret test ?
LINE    <cr>

R1(config)#username test algorithm-type sha256 secret test 
R1(config)#do sh run | i username
username test secret 8 $8$TE8n7dWN/KlQyE$eceJA2BUi4U/PuqdKzZkA34XfIwNPQzsIll5LoDS0pw

And a scrypt password hash looks like this

R1(config)#username test algorithm-type scrypt secret test 
R1(config)#do sh run | i username                          
username test secret 9 $9$BcqD2r2quPOAZk$9ou68K/72Z3dHeaolP.YNyvn4b5jOJWsczV9dw6ZzmU

So in IOS/IOS-XE a SHA256 password hash has a $8$ prefix and a SCRYPT hash has a $9$ prefix.

Let's wait until the double digit prefix appears $10$ identifying a Twofish encrypted password. Or at least Blowfish should be implemented. I would wish that