CCNA 200-125 Tutorial: “Reversing” Password Encryption

In the first part of this CCNA and CCENT tutorial on the password encryption service, we saw the effects of this service on our router’s unencrypted passwords.  In a nutshell, they were successfully encrypted — but can this process be reversed?   Let’s find out!

Here are the passwords from our Cisco router as they stood at the end of the previous lab., along with the associated login commands where needed.

enable secret 5 $1$pRqy$gGBndy2EvAkm.SEMK4tq01
enable password 7 047828232115

username chris password 7 110B0B1C161C1F

line con 0
  password 7 0130252A7A
  login

line vty 0 4
  password 7 0327782E283B
  login

Can we reverse the encryption by disabling the service?

R2(config)#no service password-encryption

The enable secret and enable password at the top of the config gives us the answer.

enable secret 5 $1$pRqy$gGBndy2EvAkm.SEMK4tq01
enable password 7 047828232115

Disabling password encryption does not undo any prior encryption performed by this service.   Naturally, any passwords entered once the service is turned off will not be encrypted.

Turning this service off after some passwords have already been encrypted is the reason you can end up with some encrypted passwords and others not-so-encrypted, as shown here:

R2(config)#username mountain password dew

The running config shows this password is left in clear text, while a password we configured in the previous lab is still encrypted.  The zero in the new username / password combination indicates an unencrypted password.

username chris password 7 110B0B1C161C1F
username mountain password 0 dew

While we can’t de-encrypt any of these passwords, we can overwrite them.   I’ll assume the person using the password chris has forgotten his password.   (Particularly sad, since the password is his last name.)   I’ll simply overwrite it and the password will appear in clear text.

R2(config)#username chris password bryant

The resulting running config:

username chris password 0 bryant
username mountain password 0 dew

The moral of this story: You can’t undo the word of service password-encryption, but you can overwrite it.

Be sure to check out the first lab in this series, along with my CCNA YouTube channel, and thanks for making The Bryant Advantage part of your CCNA success story!

Chris B.