Tuesday, October 7, 2008

Password Encryption

When the IOS username, password combi is configured using the standard 'username xxxx password yyyy' command it is stored in the configuration in the clear.
The password can be encrypted using the 'service password-encryption' command. This ensures the password is no longer displayed in clear text in the config, but is obscured.

This type of encryption is also referred to as type 7 encryption and is in fact relatively easy to hack. Just do a google search on 'cisco password cracker'!

An alternative to this is MD5 encryption and much harder to crack. The password can be stored as an MD5 hash by using 'username xxxx secret yyyy'.

Note this way of storing passwords cannot be used in conjunction with PAP or CHAP.

No comments: