cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
649
Views
5
Helpful
1
Replies

Hidekeys with Service Password-Encryption

Hi,

I'm currently reviewing my companies switch archiving setup and one thing I noticed was the lack of the "hidekeys" command within the archive configuration. I wonder if this is really required when the password-encryption service is enabled as surely all passwords would be encrypted anyway?

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor

"service password-encryption" is a very weak security-measure as it's reversible. The algorithm is documented and anyone sniffing the transfer can restore the passwords. With that, these passwords have to be considered plaintext. Now you have to decide if that's a problem for your environment.

Best practice is to move to hashed passwords where possible. For user accounts just move to the "secret" form of configuration. But for all kind of routing-protocol-passwords that is not possible.

View solution in original post

1 REPLY 1
Karsten Iwen
VIP Mentor

"service password-encryption" is a very weak security-measure as it's reversible. The algorithm is documented and anyone sniffing the transfer can restore the passwords. With that, these passwords have to be considered plaintext. Now you have to decide if that's a problem for your environment.

Best practice is to move to hashed passwords where possible. For user accounts just move to the "secret" form of configuration. But for all kind of routing-protocol-passwords that is not possible.

Create
Recognize Your Peers
Content for Community-Ad