Thursday, March 21, 2013
Cisco announces about poorly hashed passwords in its IOS-devices
One type (Type 4) passwords in certain devices, Cisco IOS and Cisco IOS XE hashed not the right way and do not meet the standards outlined in the product description. Thus, they are vulnerable to a number of common attacks, said the developers.
Implementation feature passwords Type 4, as follows from the description of Cisco, involves the use of technologies Password-Based Key Derivation Function 2 (PBKDF2), according to which the user's password hash is done using encryption standards SHA-256, 80-bit "salt" and the iteration hash algorithm, a thousand times. However, the actual implementation is a hash function without "salt" with the SHA-256, and a single iteration.
Experts Cisco said, these passwords are very vulnerable, even for such simple attacks like brute force.
The developers also noted that the vulnerable are the only devices that enabled passwords Type 4, and the team «enable secret» and «username secret».
In order to improve security Cisco recommends that customers change passwords vulnerable to Type 5. The company also said that in future versions of IOS and IOS XE ability to generate passwords Type 4 will be disabled.