02-28-2020 05:30 AM
I am trying to understand better between the differences as when using "6" it still show the password in plain text in the run-config.
Also, I understand all the policiy and key traffic is encrypted in phase 1 so would like to understand better when and when not to use the 6 parameter.
Solved! Go to Solution.
03-02-2020 11:41 AM
Hi,
"service password-encryption" is a Cisco proprietary cipher algorithm, ends up with a type 7 password and there are plenty of tools which allow you to find the clear-text string from the type7 cipher; but this was by design, it was never intended to be secure, but rather to defend against shoulder-watching attacks; this command affects all passwords configured with the "password" statement: your VTY line and console line password, your username password, your enable password.
"password encryption aes" defines the algorithm and alongside with "key config-key password-encryption <string>" it will take your ISAKMP preshared keys and encrypt it via AES using the defined string; it shows up as a type 6 password. In order to make the process secure, the defined "string" is not kept in the configuration.
Regards,
Cristian Matei.
02-28-2020 07:48 AM
Hi,
The keys are not encrypted until you enter the command password encryption aes, they will still appear in plaintext in the running configuration until you do. This guide is accurate, I've previously used it.
HTH
03-02-2020 07:43 AM
03-02-2020 08:08 AM
03-02-2020 11:41 AM
Hi,
"service password-encryption" is a Cisco proprietary cipher algorithm, ends up with a type 7 password and there are plenty of tools which allow you to find the clear-text string from the type7 cipher; but this was by design, it was never intended to be secure, but rather to defend against shoulder-watching attacks; this command affects all passwords configured with the "password" statement: your VTY line and console line password, your username password, your enable password.
"password encryption aes" defines the algorithm and alongside with "key config-key password-encryption <string>" it will take your ISAKMP preshared keys and encrypt it via AES using the defined string; it shows up as a type 6 password. In order to make the process secure, the defined "string" is not kept in the configuration.
Regards,
Cristian Matei.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: