CCNA 200-125 Tutorial: “Reversing” Password Encryption
In the first part of this CCNA and CCENT tutorial on the password encryption service, we saw the effects of this service on our router’s unencrypted passwords. In a nutshell, they were successfully encrypted — but can this process be reversed? Let’s find out!
Here are the passwords from our Cisco router as they stood at the end of the previous lab., along with the associated login commands where needed.
enable secret 5 $1$pRqy$gGBndy2EvAkm.SEMK4tq01 enable password 7 047828232115 username chris password 7 110B0B1C161C1F line con 0 password 7 0130252A7A login line vty 0 4 password 7 0327782E283B login
Can we reverse the encryption by disabling the service?
R2(config)#no service password-encryption
The enable secret and enable password at the top of the config gives us the answer.
enable secret 5 $1$pRqy$gGBndy2EvAkm.SEMK4tq01 enable password 7 047828232115
Disabling password encryption does not undo any prior encryption performed by this service. Naturally, any passwords entered once the service is turned off will not be encrypted.
Turning this service off after some passwords have already been encrypted is the reason you can end up with some encrypted passwords and others not-so-encrypted, as shown here:
R2(config)#username mountain password dew
The running config shows this password is left in clear text, while a password we configured in the previous lab is still encrypted. The zero in the new username / password combination indicates an unencrypted password.
username chris password 7 110B0B1C161C1F username mountain password 0 dew
While we can’t de-encrypt any of these passwords, we can overwrite them. I’ll assume the person using the password chris has forgotten his password. (Particularly sad, since the password is his last name.) I’ll simply overwrite it and the password will appear in clear text.
R2(config)#username chris password bryant
The resulting running config:
username chris password 0 bryant username mountain password 0 dew
The moral of this story: You can’t undo the word of service password-encryption, but you can overwrite it.