Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7434
Views
1
Helpful
1
Replies

Unencrypted vs encrytped password

Go to solution
dbuckley77
Level 1
Level 1

‎05-21-2015 12:01 PM - edited ‎03-08-2019 12:07 AM

  0     Specifies an UNENCRYPTED password will follow
  7     Specifies a HIDDEN password will follow
  LINE  The UNENCRYPTED (cleartext) user password

 

What do these options mean?

 

When entering a password or key for something without putting a 0 or 7 in front of the value am I actually entering it as unencyrpted or plain text?  Is the 7 only used when copying from another config?  Can you copy the line with the hash in it from the config on one router/switch to another and have it work for whatever you're configuring?  I do not understand why you would use these values rather than the plain text when issuing a command.

 

Also.  I entered a password in for a local user while the service password encryption was turned off.  When I did a show run it displayed the password as plain text.  However when I did a no service password-encryption and another show run the password was still encrypted with the hash.  Why is this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-22-2015 12:22 AM

First and most important: The type-7 passwords that you get with "service password-encryption" are not hashed. They are only "hidden" and can easily be reverted. They only provide protection against someone looking over your shoulder, but are not enough to protect the passwords when config file is communicated in public.

Normally, new passwords are always entered in clear text:

inet(config)#enable password ThisIsSuperSecret

If you have "service password-encryption" enabled, the router calculates the type 7 password and enters the password into the config:

inet(config)#do sh run | i password
service password-encryption
enable password 7 053F0E0632655D3A0C151200380907382E30

This line can now be copied to a different machine and will be recognized as password.

Turning off service password-encryption does not turn the password back, but all newly entered passwords will be shown as cleartext.

The type-7 passwords can be reverted to plaintext with tools found on the internet. I use a python-script for that:

kiMaMi:~ karsten$ ./cipade.py 053F0E0632655D3A0C151200380907382E30
ThisIsSuperSecret
kiMaMi:~ karsten$

Today it's a general advice not to use any of the "password" functions.

Use "enable secret" instead of "enable password" and "username NAME secret" instead of "username NAME password" as these passwords are really only hashes and can't be reverted:

inet(config)#username TEST secret NotSoSecurePassword
inet(config)#do sh run | i TEST
object-group service TEST
username TEST secret 5 $1$UkL8$O2H1/rz7CzmCu0vfCiNdK.

Here an md5-hash is used which is not state of the art any more. If you have a newer IOS, you can use the much more secure PBKDF2:

inet-home(config)#username TEST algorithm-type sha256 secret THISisNotSecureEnough
inet-home(config)#do sh run | i TEST
username TEST secret 8 $8$ucEtAF7OpgRpVU$CPP9//P40ibq0LEORAha6S6S6gDF4bVtUiz8VGHcz1U

View solution in original post

1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎05-22-2015 12:22 AM

First and most important: The type-7 passwords that you get with "service password-encryption" are not hashed. They are only "hidden" and can easily be reverted. They only provide protection against someone looking over your shoulder, but are not enough to protect the passwords when config file is communicated in public.

Normally, new passwords are always entered in clear text:

inet(config)#enable password ThisIsSuperSecret

If you have "service password-encryption" enabled, the router calculates the type 7 password and enters the password into the config:

inet(config)#do sh run | i password
service password-encryption
enable password 7 053F0E0632655D3A0C151200380907382E30

This line can now be copied to a different machine and will be recognized as password.

Turning off service password-encryption does not turn the password back, but all newly entered passwords will be shown as cleartext.

The type-7 passwords can be reverted to plaintext with tools found on the internet. I use a python-script for that:

kiMaMi:~ karsten$ ./cipade.py 053F0E0632655D3A0C151200380907382E30
ThisIsSuperSecret
kiMaMi:~ karsten$

Today it's a general advice not to use any of the "password" functions.

Use "enable secret" instead of "enable password" and "username NAME secret" instead of "username NAME password" as these passwords are really only hashes and can't be reverted:

inet(config)#username TEST secret NotSoSecurePassword
inet(config)#do sh run | i TEST
object-group service TEST
username TEST secret 5 $1$UkL8$O2H1/rz7CzmCu0vfCiNdK.

Here an md5-hash is used which is not state of the art any more. If you have a newer IOS, you can use the much more secure PBKDF2:

inet-home(config)#username TEST algorithm-type sha256 secret THISisNotSecureEnough
inet-home(config)#do sh run | i TEST
username TEST secret 8 $8$ucEtAF7OpgRpVU$CPP9//P40ibq0LEORAha6S6S6gDF4bVtUiz8VGHcz1U
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card