Exam 200-301 topic 1 question 990 discussion

A. CAT9200(config)#username engineer2 privilege 1 password 7 test2021 Invalid encrypted password: test2021 B. CAT9200(config)#username engineer2 secret 4 $1$b1Ju$kZbBS1Pyh4QzwXyZ ERROR: Type 4 passwords have been deprecated. Migrate to a supported password type C. CAT9200(config)#username engineer2 algorithm-type scrypt secret test2021 CAT9200(config)#do show run | inc engineer2 username engineer2 secret 9 $9$2FTH4wYx6hzf1X$1WVSI21bbXZ7JlP5v42YDvImoHd6DTHW5pcm4J0Iy8A CAT9200(config)# D. CAT9200(config)#username engineer2 secret 5 password $1$b1Ju$kZbBS1Pyh4QzwXyZ % Ambiguous command: "username engineer2 secret 5 password $1$b1Ju$kZbBS1Pyh4QzwXyZ" CAT9200(config)# The only opcion that run is opcion C. I configured the user and pass, and when I did "show run", the passsword was encrypt.

The correct answer is **C. R1(config)# username engineer2 algorithm-type scrypt secret test2021**. ### Explanation: - The **`username`** command is used to configure a local user account on the router. - The **`secret`** keyword indicates that the password will be hashed and stored securely. - The **`algorithm-type scrypt`** specifies the use of the Scrypt algorithm, which is the strongest password hashing algorithm available for local user accounts on Cisco devices. Option C is the correct choice because it uses the `algorithm-type scrypt` parameter, ensuring the password is configured with the most secure hashing algorithm. The password `test2021` is used, and the `secret` keyword ensures it is hashed securely.

scrypt is stronger than the PBK... algorithm on B

A -> ERROR: Can not have both a user password and a user secret. Please choose one or the other. B -> works C -> username engineer2 algorithm-type scrypt secret test2021 ^ % Invalid input detected at '^' marker. D -> username engineer2 secret 5 password $1$b1Ju$kZbBS1Pyh4QzwXyZ ^ % Invalid input detected at '^' marker. (in D, 'password' would be the password, and the following is just jibberish)

I would say the correct answer is C A & D uses default encryption using md5 hashing algorithm is not secure and has been exploited for years. C uses scrypt as the hashing algorithm which is a type 9 encryption algorithm and it's more secure than md5 B is missing the password keyword https://www.linkedin.com/pulse/enable-secret-password-algorithms-md5-sha256-scrypt-michael-akintola

scrypt is the best algorithm-type. No question about it. It doesn't matter about the length of the password - it's primarily about the algorithm.

The phrase "It must use the strongest password configurable" suggests that the user account should have the most secure and strong password possible, not necessarily the strongest encryption for the password itself. It means that the user's password should be as complex, long, and difficult to guess as possible, following best practices for password security.

I tried all commands on GNS3 Cisco C3725 router, all are wrong.

https://www.linkedin.com/pulse/enable-secret-password-algorithms-md5-sha256-scrypt-michael-akintola

C is the strongest password, type 9 and SHA-256 algorithm. CCNA 200-301 Official Cert Guide, Volume 2 page 93 https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238

As of bug CSCue95644 (which is a Cisco issue identifier), keyword 4 for specifying a SHA-256 encrypted secret string has been deprecated. This indicates that the use of that particular type of encryption algorithm is no longer recommended or supported by Cisco. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#:~:text=4%20keyword%20is-,deprecated,-. The syntax of the letter C is correct, only the password "test2021" would be weak, but as shown is just a "test" password, it will not be this password that the engineer will hand over to the user, without a crisis. However, setting the password with type 9 (SCRYPT) is the strongest that can be set, better than 5 and 8. The old type 4 is no longer recommended due to its fragility (bug CSCue95644).

B. R1(config)# username engineer2 secret 4 $1$b1Ju$kZbBS1Pyh4QzwXyZ This command creates a local user account named "engineer2" and sets the password as the given encrypted string "$1$b1Ju$kZbBS1Pyh4QzwXyZ". The "secret" keyword is used to specify the encrypted password. The "4" indicates the encryption type, which in this case appears to be MD5. Option A uses the "password" keyword, which indicates a simple, unencrypted password. Option C uses the "algorithm-type scrypt" which is not necessary for this scenario, and Option D is incorrect because it uses the wrong keyword ("password") instead of "secret" for specifying an encrypted password.

B is correct, C uses a very common password and cannot be correct!!

B seems to meet all those conditions.

if strongest password - answer D if strongest store password - C I dont understhand what Cisco want

Command: username engineer2 algorithm-type scrypt secret test2021 is not know in PT.

algorithm-type scrypt: This specifies the algorithm used for password hashing, which in this case is "scrypt". "scrypt" is a password-based key derivation function that is designed to be highly resistant to brute force attacks.