Securing Passwords
Last updated
Using the Command Line Interface (CLI)
Last updated
Configure password encryption on the switch using the global configuration command.
Do a show run to validate your work. What do you notice about the passwords you have typed in, what has changed? Are they more secure? How secure? Is this adequate?
Next, configure the password for privileged mode access as "MyPassword". The password must be md5 encrypted.
Do a show run to validate your work. What do you notice about the enable password? Is this more secure? How secure? Is this adequate?
The command service password-encryption uses weak cryptography (Vigenere Cipher) and is trivial to crack. Any type 7 password can be cracked in seconds.
Type enable secret ? and review the output.
Everyone in the class has used the same password. Compare your MD5 hashed password with the person next to you. Despite the plaintext being the same, the hashed values are not.
Spend a few minutes on an Internet search and try to figure out why (hint: look at the $ symbols in the encrypted password and look up the term salt).
MD5 is deprecated, this is also hackable!
In a modern system, you need to use a more secure algorithm. Type 8 (PBKDF2) looks good to me, do some background reading on key derivation functions.
If I do a show run, I can verify the new hashed password.
Any device which can be managed from the network can be attacked from the network. To protect a device from brute force attack, we introduce restrictions on failed login attempts and we will log these attempts.
Use the command login block-for 60 attempts 3 within 30 to prevent brute force attacks, this will only exist in certain switches and routers and with certain code loads and may not work in Packet Tracer.
It seems to work on IOSvL2.
You can also restrict logins via access lists, check the command login quite-mode.
You can log both successful and unsuccessful logins using login on-success and login on-failure.
Save your work and exit, you can then shut down GNS3.
