Encrypting Passwords


You want to encrypt passwords so that they do not appear in plain text in the router configuration file.


To enable password encryption on a router, use the service password-encryption configuration command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#enable password oreilly
Router1(config)#line vty 0 4
Router1(config-line)#password cookbook
Router1(config-line)#line con 0
Router1(config-line)#password cookbook
Router1(config-line)#line aux 0
Router1(config-line)#password cookbook
Router1(config)#service password-encryption

This command uses a weak, reversible encryption method to encipher VTY and enable passwords. Please see Recipe 3.5 for more details.



By default, the router stores all passwords in clear text and presents them in a human-readable format when you look at the router's configuration. The service password-encryption command encrypts the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse, as we will illustrate in Recipe 3.5.

However, this functionality is still quite useful to prevent nosy neighbors from viewing passwords over your shoulder. As such, encrypting your passwords is still highly recommended in spite of the known weaknesses. You should be aware of the inherent weaknesses of this encryption scheme when storing or forwarding router configuration files, though. Recipe 3.4 provides a small utility to strip your router configuration files of all passwords (encrypted or not) to keep stored and forwarded configuration files safe from prying eyes.

The following example shows what a configuration file looks like with password encryption enabled:

Router1#show running-config 
Building configuration...

Current configuration : 4385 bytes
! Last configuration change at 13:08:35 EDT Thu Jun 27 2002 by weak
! NVRAM config last updated at 13:01:45 EDT Thu Jun 27 2002 by kdooley
version 12.2
service password-encryption

hostname Router
enable password 7 06091D2445420500
username ijbrown password 7 045802150C2E
username kdooley password 7 070C285F4D06
line con 0
 password 7 0605002E474C06160E
line aux 0
 password 7 151104030F28242B23
line vty 0 4
 password 7 110A160A1C1004030F

You will notice that the router now encrypts all of the passwords and no longer displays them in a human-readable format.

See Also

Recipe 3.3; Recipe 3.4; Recipe 3.5

Router Configuration and File Management

Router Management

User Access and Privilege Levels


IP Routing





Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time


Router Interfaces and Media

Simple Network Management Protocol





First Hop Redundancy Protocols

IP Multicast

IP Mobility




Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications


Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Similar book on Amazon

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net