CCNA 200-125 Tutorial: The Password Encryption Service

There are several dozen services available to us on a Cisco router, but only a few are mentioned in the startup and running config by default.  You’ll find those at the top of the config.  Those include the password encryption service, which is off by default.

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption

One little problem with Cisco routers is that all passwords configured on said router are displayed in plain text, with the exception of the enable secret, which is encrypted.  From the router config, here’s a list of passwords I’ve configured for this lab, along with any password-related commands.   (The VTY lines are set for login with the password CCNA, but I’ve configured a single username/password entry to give us another password to work with.)

enable secret 5 $1$pRqy$gGBndy2EvAkm.SEMK4tq01
enable password CCENT

username chris password 0 bryant

line con 0
password CCNA

line vty 0 4
password CCENT

Quick quiz:  When I’m prompted for a password when entering enable mode, should I enter the enable secret or the enable password when both are set?

Quick answer:  The enable secret, which always takes precedence over the enable password.  The enable secret’s also the only password that is encrypted by default, and I promise not to mention that again.  : )

Enabling the password encryption service will encrypt all clear-text passwords in the config.  Sounds like a pretty good deal!   It’s good for stopping the “over-the-shoulder network attack” — that is,  this encryption stops someone from looking over your shoulder and noting your passwords for future and illegitimate use — but this encryption is easily broken by easily acquired software.  Still, tis better to have encrypted passwords than not, so let’s have at it!

The command is simple and has no options, verified by IOS Help.

R2(config)#service password-encryption ?

R2(config)#service password-encryption

The running config’s passwords are now all encrypted — but what’s that number doing in there, and why do some passwords have a “5” where others have a “7”?

enable secret 5 $1$pRqy$gGBndy2EvAkm.SEMK4tq01
enable password 7 047828232115

username chris password 7 110B0B1C161C1F

line con 0
password 7 0130252A7A

line vty 0 4
password 7 0327782E283B

The enable password is displayed with a “5” where the passwords encrypted by service password-encryption are displayed with a “7”.  That value represents the strength of the encryption, where “7” is a weak encryption performed by service password-encryption and “5” indicates the somewhat stronger MD5 algorithm.

Great service, but what if we want to reverse this encryption?  Can we do that?  We’ll find out together with the click of this link…

CCNA And CCENT Tutorial: Reversing Password Encryption

See you there!  — Chris B.