Monday, January 7, 2013

Cisco type 5 encryption (MD5) is not strong enough to secure passwords on the configuration file

The salt is put on top of the password string. That means it's quite easy to make a rainbow table for it or simply try every possibilities. You see the importance in storing the configuration file in a secure manner (with an access control and an encryption) when the configuration file is stored out of the box. Remember, there is no mechanism protecting passwords from a massive amount of attempt.

References:
Decrypting Cisco type 5 password hashes
http://retrorabble.wordpress.com/2011/02/09/decrypting-cisco-type-5-password-hashes/

Interesting reading:
25-GPU cluster cracks every standard Windows password in <6 hours
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/