Solved: Hidekeys with Service Password-Encryption

Christopher Jones · ‎09-03-2015

Hi,

I'm currently reviewing my companies switch archiving setup and one thing I noticed was the lack of the "hidekeys" command within the archive configuration. I wonder if this is really required when the password-encryption service is enabled as surely all passwords would be encrypted anyway?

Thanks!

Karsten Iwen · ‎09-03-2015

"service password-encryption" is a very weak security-measure as it's reversible. The algorithm is documented and anyone sniffing the transfer can restore the passwords. With that, these passwords have to be considered plaintext. Now you have to decide if that's a problem for your environment.

Best practice is to move to hashed passwords where possible. For user accounts just move to the "secret" form of configuration. But for all kind of routing-protocol-passwords that is not possible.

View solution in original post

Karsten Iwen · ‎09-03-2015

"service password-encryption" is a very weak security-measure as it's reversible. The algorithm is documented and anyone sniffing the transfer can restore the passwords. With that, these passwords have to be considered plaintext. Now you have to decide if that's a problem for your environment.

Best practice is to move to hashed passwords where possible. For user accounts just move to the "secret" form of configuration. But for all kind of routing-protocol-passwords that is not possible.