Configure SHA-256 format passwords
Syntax
password non-plaintext-sha256
no password non-plaintext-sha256Description
Configure the password in SHA-256 format.
Limitations
- After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
- This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
- The SHA-256 password format is not supported when the password complexity feature is enabled.
If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not supported results in the deletion of the passwords. It is recommended that you disable this feature and reconfigure the password before downgrading.
If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA-1 format.
The following three tables show the output from the show running-config command for each password storage format.
include credentials enabled |
encrypt-credentials enabled |
non-plaintext-sha256 enabled |
show running-config output (manager/operator/local-user) |
No |
No |
No |
password manager password operator aaa authentication local-user <username> group <groupname> |
No |
No |
Yes |
Manager and operator credentials are not displayed. aaa authentication local-user <username> group <groupname> |
No |
Yes |
No |
password manager password operator aaa authentication local-user <username> group <groupname> |
No |
Yes |
Yes |
Manager and operator credentials are not displayed. aaa authentication local-user <username> group <groupname> |
Yes |
No |
No |
password manager user-name <username> <SHA-1 password> password manager user-name <username> <SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
No |
Yes |
password manager user-name <username>sha256 <SHA-256 password> password manager user-name <username>sha256 <SHA-256 password> aaa authentication local-user <username> group <groupname> password <SHA-256 password> |
Yes |
Yes |
No |
encrypted-password manager user-name <username> <encrypted SHA-1 password> encrypted-password manager user-name <username> <encrypted SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
Yes |
Yes |
encrypted-password manager user-name <username> <encrypted SHA-256 password> encrypted-password manager user-name <username> <encrypted SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password> |
include credentials enabled |
encrypt-credentials enabled |
non-plaintext-sha256 enabled |
show running-config output (manager/operator/local-user) |
Yes |
No |
No |
password manager user-name <username> sha-1 <SHA-1 password> password operator user-name <username> sha-1 <SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
No |
Yes |
Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled. |
Yes |
Yes |
No |
encrypted-password manager user-name <username> <encrypted SHA-1 password> encrypted-password manager user-name <username> <encrypted SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
Yes |
Yes |
Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled. |
include credentials enabled |
encrypt-credentials enabled |
non-plaintext-sha256 enabled |
show running-config output (manager/operator/local-user) |
Yes |
No |
No |
Manager and operator credentials are not displayed because SHA-1 passwords are not available. aaa authentication local-user <username> group <groupname> |
Yes |
No |
Yes |
password manager user-name <username> sha256 <SHA-256 password> password manager user-name <username> sha256 <SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password> |
Yes |
Yes |
No |
Manager and operator credentials are not displayed because SHA-1 passwords are not available. aaa authentication local-user <username> group <groupname> |
Yes |
Yes |
Yes |
encrypted-password manager user-name <username> <encrypted SHA-256 password> encrypted-password manager user-name <username> <encrypted SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password> |