Solved: Password showing in running configuration on 3750's and 3560's

NJackson3 · ‎03-06-2014

Hi All,

Forigve the stupid question here but I was just backing up the running configuration on the switches at work before we have a big powerdown at the weekend and I noticed that the passwords to access the switches are showing in readable text in the running configuration. Under line vty 0.4 and line vt 5.15 there is an entry for the password.

I have never seen this before in cisco switch running configurations so I was just wondering if it was normal? I'm new to the company so before I go rock the boat I thought I would ask if it is just a normal occurance as I've never seen it before on other 29 series switches that I have worked with.

If it isn't normal should I just remove it from the configuration files and then write mem to write a new config file minus the passwords? Just seems a bit risky to have passwords showing in plain sight especially if somebody ever saw the configuration file?

Any advice on the above would be greatly appreciated?

Thanks.

Richard Burts · ‎03-06-2014

There is an option for service password-encryption which is not enabled by default. Most of us enable it as one of the first things we do in configuring IOS devices. Sounds like the switches you have seen before have the service enabled and this switch does not. I suggest that you enable the service on this switch. I urge you to be very VERY careful about just removing the passwords.

HTH

Rick

HTH

Rick

View solution in original post

glen.grant · ‎03-06-2014

No do not remove the passwords . As Rick said it's missing the "service password-encryption " command. Just add it and the passwords will be non readable unless you have one of the hundreds of available cisco password crackers !!

View solution in original post

Richard Burts · ‎03-06-2014

There is an option for service password-encryption which is not enabled by default. Most of us enable it as one of the first things we do in configuring IOS devices. Sounds like the switches you have seen before have the service enabled and this switch does not. I suggest that you enable the service on this switch. I urge you to be very VERY careful about just removing the passwords.

HTH

Rick

HTH

Rick

NJackson3 · ‎03-06-2014

Hi Rick,

Thanks for the advice I will enable that service on our switches then for added security thank you very much for responding I didn't want to remove the passwords so will heed your advice there.

Cheers,

Nick

glen.grant · ‎03-06-2014

No do not remove the passwords . As Rick said it's missing the "service password-encryption " command. Just add it and the passwords will be non readable unless you have one of the hundreds of available cisco password crackers !!

Parvesh Paliwal · ‎03-06-2014

This is what is called device hardening. While configuring an intial requirement, it is recommended to go through the basic hardening. You can encrypt the passwords using the command - service password-encryption.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

--

Parvesh

NJackson3 · ‎03-07-2014

Thanks when I try entering the command service password-encryption I get invalid marker detected at the third character in the word service is their a condensed form of this command so that I can turn this service on please?

I am trying to enable the service password-encryption from the elevated access mode on the switch or do I need to be in just the normal mode? I thought that in order to make any configuration changes and be able to write those changes to memory you had to be in the elevated access mode?

Parvesh Paliwal · ‎03-07-2014

The syntax/ command is :

Router(config)# service password-encryption

feel free to revert for further support.