Cisco inadvertently weakens password encryption in its IOS operating system

[InfoSec News <alerts () infosecnews org>]

https://www.computerworld.com/s/article/9237752/Cisco_inadvertently_weakens_password_encryption_in_its_IOS_operating_system

By Lucian Constantin
IDG News Service
March 20, 2013

The password encryption algorithm used in some recent versions of the Cisco IOS 
operating system is weaker than the algorithm it was designed to replace, Cisco 
revealed earlier this week.

The new encryption algorithm is called Type 4 and was supposed to increase the 
resiliency of encrypted passwords against brute-force attacks. "The Type 4 
algorithm was designed to be a stronger alternative to the existing Type 5 and 
Type 7 algorithms," Cisco said Monday in a security response document published 
on its website.

However, due to an implementation error, the new algorithm generates password 
hashes -- cryptographic representations of passwords -- that are weaker than 
those generated by the Type 5 algorithm for equally complex passwords.

The issue was discovered by researchers Philipp Schmidt and Jens Steube of the 
Hashcat Project. Hashcat is a password recovery application.

[...]


______________________________________________
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org