Encrypting Passwords

Encrypting Passwords Problem You want to encrypt passwords so that they do not appear in plain text in the router configuration file. Solution To enable password encryption on a router, use the service password-encryption configuration command: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#enable password oreilly Router1(config)#line vty 0 4 Router1(config-line)#password cookbook Router1(config-line)#line con 0 Router1(config-line)#password cookbook Router1(config-line)#line aux 0 Router1(config-line)#password cookbook Router1(config-line)#exit Router1(config)#service password-encryption Router1(config)#end Router1# This command uses a weak, reversible encryption method to encipher VTY and enable passwords. Please see Recipe 3.5 for more details. Discussion By default, the router stores all passwords in clear text and presents them in a human-readable format when you look at the router's configuration. The service password-encryption command encrypts the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse, as we will illustrate in Recipe 3.5. However, this functionality is still quite useful to prevent nosy neighbors from viewing passwords over your shoulder. As such, encrypting your passwords is still highly recommended in spite of the known weaknesses. You should be aware of the inherent weaknesses of this encryption scheme when storing or forwarding router configuration files, though. Recipe 3.4 provides a small utility to strip your router configuration files of all passwords (encrypted or not) to keep stored and forwarded configuration files safe from prying eyes. The following example shows what a configuration file looks like with password encryption enabled: Router1#show running-config Building configuration... Current configuration : 4385 bytes ! ! Last configuration change at 13:08:35 EDT Thu Jun 27 2002 by weak ! NVRAM config last updated at 13:01:45 EDT Thu Jun 27 2002 by kdooley ! version 12.2 service password-encryption ! hostname Router ! enable password 7 06091D2445420500 ! username ijbrown password 7 045802150C2E username kdooley password 7 070C285F4D06 ! line con 0 password 7 0605002E474C06160E line aux 0 password 7 151104030F28242B23 line vty 0 4 password 7 110A160A1C1004030F ! end You will notice that the router now encrypts all of the passwords and no longer displays them in a human-readable format. See Also