Encrypted Password when showing Running-Config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2004 01:24 PM - edited 03-09-2019 08:40 AM
Using the "service password-encryption" command. The problem is that when I type "show running-configuration", the "vpngroup password _________" line shows the VPN password I use in clear text. So if anyone where to look at my config file, they would know how to get onto my VPN. Is there a command where I can encrypt that line to?
Also, what is the difference between the "service password-encryption" command and the "enable secret" command?
Thanks.
- Labels:
-
Other Security Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2004 02:51 PM
I'm not sure about a command that can be used to encrypt the vpngroup password, but the difference between the "service password-encryption" and the "enable secret" command is quite different.
Service password-encryption will encrypt passwords with a Cisco proprietary encryption method. It is not the best excryption method and is easily cracked. There are many utilities out on the Internet that make this task quite trivial. (Most involve a cut/paste operation and you have the password immediately.)
The enable secret command will only encrypt your enable password using an MD5 hash. This makes it quite a bit more difficult to come up with the enable password to your router.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2004 02:58 PM
In very early IOS the main passwords that were configured were the line passwords on line console, line aux, and line vty, and the enable password. Cisco added the feature of service password-encryption to protect these passwords.
As the IOS has grown and matured many other passwords have been added. As passwords have been added some of them get added to the list of what is processed by service password-encryption while others still show the password in the clear. Over time more and more passwords get added to the list. I remember for many releases of IOS that the TACACS server key was shown in clear text and in current versions it is protected by password-encryption. I expect that the vpngroup password is likely to have a similar evolution and will at some point be protected by password-encryption. In the mean while I believe that there is no other command that will encrypt that password.
If you want to accelerate the process of getting this password protected by password-encryption you should talk to your Cisco account team (or your reseller or partner if you do not have an account team).
As for the difference between service password-encryption and enable secret, password-encryption was developed to protect the enable password. As I mentioned the encryption used is not especially strong (and was not designed to have strong encryption, it was designed to protect against casual "over the shoulder" observation). Cisco then developed enable secret as an alternative to enable password. The enable secret is always encrypted and uses a strong method (MD5) to protect the password.
HTH
Rick
This encryption uses a Cisco proprietary encryption algorithm which is not very strong.
Rick
