Exam 200-301 topic 1 question 990 discussion

A. CAT9200(config)#username engineer2 privilege 1 password 7 test2021 Invalid encrypted password: test2021 B. CAT9200(config)#username engineer2 secret 4 $1$b1Ju$kZbBS1Pyh4QzwXyZ ERROR: Type 4 passwords have been deprecated. Migrate to a supported password type C. CAT9200(config)#username engineer2 algorithm-type scrypt secret test2021 CAT9200(config)#do show run | inc engineer2 username engineer2 secret 9 $9$2FTH4wYx6hzf1X$1WVSI21bbXZ7JlP5v42YDvImoHd6DTHW5pcm4J0Iy8A CAT9200(config)# D. CAT9200(config)#username engineer2 secret 5 password $1$b1Ju$kZbBS1Pyh4QzwXyZ % Ambiguous command: "username engineer2 secret 5 password $1$b1Ju$kZbBS1Pyh4QzwXyZ" CAT9200(config)# The only opcion that run is opcion C. I configured the user and pass, and when I did "show run", the passsword was encrypt.

The correct answer is **C. R1(config)# username engineer2 algorithm-type scrypt secret test2021**. ### Explanation: - The **`username`** command is used to configure a local user account on the router. - The **`secret`** keyword indicates that the password will be hashed and stored securely. - The **`algorithm-type scrypt`** specifies the use of the Scrypt algorithm, which is the strongest password hashing algorithm available for local user accounts on Cisco devices. Option C is the correct choice because it uses the `algorithm-type scrypt` parameter, ensuring the password is configured with the most secure hashing algorithm. The password `test2021` is used, and the `secret` keyword ensures it is hashed securely.

C is correct

scrypt is stronger than the PBK... algorithm on B

A -> ERROR: Can not have both a user password and a user secret. Please choose one or the other. B -> works C -> username engineer2 algorithm-type scrypt secret test2021 ^ % Invalid input detected at '^' marker. D -> username engineer2 secret 5 password $1$b1Ju$kZbBS1Pyh4QzwXyZ ^ % Invalid input detected at '^' marker. (in D, 'password' would be the password, and the following is just jibberish)

They probably want C. On Cisco routers you can enter the pre-encrypted secret by specifying the encryption type manually, i.e. "secret <level> <encrypted-secret>". If you don't specify the level, it will encrypt the plaintext password supplied using the specified algorithm type. "If you specify an encryption type, you must provide an encrypted password—an encrypted password that you copy from another switch configuration. Secret encryption type 9 is more secure, so we recommend that you select type 9 to avoid any issues while upgrading or downgrading. You can also configure type 9 encryption for the secret password manually by using the algorithm-type scrypt command in global configuration mode. For example: Device(config)# username user1 algorithm-type scrypt secret cisco" https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-9/configuration_guide/sec/b_179_sec_9500_cg/controlling_switch_access_with_passwords_and_privilege_levels.html#task_1046352

I would say the correct answer is C A & D uses default encryption using md5 hashing algorithm is not secure and has been exploited for years. C uses scrypt as the hashing algorithm which is a type 9 encryption algorithm and it's more secure than md5 B is missing the password keyword https://www.linkedin.com/pulse/enable-secret-password-algorithms-md5-sha256-scrypt-michael-akintola

scrypt is the best algorithm-type. No question about it. It doesn't matter about the length of the password - it's primarily about the algorithm.

I think it's C enable [algorithm-type md5] secret password 5 MD5 enable algorithm-type sha256 secret password 8 SHA-256 enable algorithm-type scrypt secret password 9 SHA-256

The phrase "It must use the strongest password configurable" suggests that the user account should have the most secure and strong password possible, not necessarily the strongest encryption for the password itself. It means that the user's password should be as complex, long, and difficult to guess as possible, following best practices for password security.

I tried all commands on GNS3 Cisco C3725 router, all are wrong.

https://www.linkedin.com/pulse/enable-secret-password-algorithms-md5-sha256-scrypt-michael-akintola

C is the strongest password, type 9 and SHA-256 algorithm. CCNA 200-301 Official Cert Guide, Volume 2 page 93 https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

As of bug CSCue95644 (which is a Cisco issue identifier), keyword 4 for specifying a SHA-256 encrypted secret string has been deprecated. This indicates that the use of that particular type of encryption algorithm is no longer recommended or supported by Cisco. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#:~:text=4%20keyword%20is-,deprecated,-. The syntax of the letter C is correct, only the password "test2021" would be weak, but as shown is just a "test" password, it will not be this password that the engineer will hand over to the user, without a crisis. However, setting the password with type 9 (SCRYPT) is the strongest that can be set, better than 5 and 8. The old type 4 is no longer recommended due to its fragility (bug CSCue95644).

B. R1(config)# username engineer2 secret 4 $1$b1Ju$kZbBS1Pyh4QzwXyZ This command creates a local user account named "engineer2" and sets the password as the given encrypted string "$1$b1Ju$kZbBS1Pyh4QzwXyZ". The "secret" keyword is used to specify the encrypted password. The "4" indicates the encryption type, which in this case appears to be MD5. Option A uses the "password" keyword, which indicates a simple, unencrypted password. Option C uses the "algorithm-type scrypt" which is not necessary for this scenario, and Option D is incorrect because it uses the wrong keyword ("password") instead of "secret" for specifying an encrypted password.

The command starts with the "username" keyword, followed by the desired username, which in this case is "engineer". The "secret" keyword is used to specify the password. The number "5" following the secret keyword indicates the password encryption type, which is SHA256-based salted password hashing algorithm (scrypt) in this case. The password itself is specified after the encryption type. Option B is the correct command because it specifies the use of the strongest password encryption method (scrypt) and provides a secure password. The provided password, "S1$b1Ju$kZbBS1Pyh4QzwXyZ", is a strong password that meets the requirement for a strong password.

B is correct, C uses a very common password and cannot be correct!!