Service Password Encryption

Discussion in 'General Cisco Certifications' started by Headache, Feb 25, 2007.

  1. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Sorry if this sounds stupid, but how do you configure Service Password Encryption ?
     
    Certifications: CCNA
    WIP: CCNP
  2. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    From Cisco:

    service password-encryption (and limitations)
    The service password-encryption command directs the IOS software to encrypt the passwords, CHAP secrets, and similar data that are saved in its configuration file. This is useful to prevent casual observers from reading passwords, such as when they look at the screen over the shoulder of an administrator.

    However, the algorithm used by the service password-encryption command is a simple Vigenere cipher. Any competent amateur cryptographer can easily reverse it in a few hours. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers, and should not be used for this purpose. Any Cisco configuration file that contains encrypted passwords must be treated with the same care used for a cleartext list of those same passwords.

    This weak encryption warning does not apply to passwords set with the enable secret command, but it does apply to passwords set with the enable password command.

    The enable secret command uses MD5 for password hashing. The algorithm has had considerable public review, and is not reversible as far as Cisco knows. It is, however, subject to dictionary attacks. A dictionary attack is when a computer tries every word in a dictionary or other list of candidate passwords. Therefore, remember to keep your configuration file out of the hands of untrusted people, especially if you are not sure your passwords are well chosen.


    From my Lab:

    Router(config)#service password-encryption
    Router(config)#enable password Cisco

    SH RUN

    enable password 7 062506324F41

    Without service password-encryption

    Router(config)#enable password Cisco

    SH RUN

    enable password Cisco


    But I would use Enable Secret since it is a stronger encryption and all the kool kats are doing it.

    Post script: Keep them coming Headache! Helps me learn new stuff!!!
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  3. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I didn't realise that's all you needed to do.

    Thanks NetEyeBall. That was a great help.
     
    Certifications: CCNA
    WIP: CCNP

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.