Enable password or enable secret?

I've stumbled across a blog post that indicates there's still confusion on some fundamental configuration issues. I will not even try to guess whether there is a wide consensus on how to configure a router, but these are the facts (and here is a ten year old position from Cisco):

11 comments:

  1. And who the heck might Nick Walton be ? ;)

    Oh well - to the source - http://tinyurl.com/m5oeu - had to use tinyurl because CCO is now using those horrible 200+ chars URLs . . .

    A couple comments:
    * most of the freely available Type-7 decryption programs fail with long passwords. I'll see if I can find an email address for you, Ivan, and send you one that actually works

    * you forgot to mention Type 6 encryption - aka "Encrypt Pre-shared Keys in IKE" - again, tinyurl to the rescue: http://tinyurl.com/3dj6az

    * and considering we're talking about passwords - how about mentioning also the "no service password-recovery" feature? - http://tinyurl.com/yptmfx

    I don't write about quantum physics because I know zilch about it. Nick should follow my example and not write about IOS and security ;)

    ReplyDelete
  2. To send me an e-mail: go to my bio page and find the link Send a message to Ivan (at the bottom of the main text).

    Thanks for all the other comments. The type-6 encryption stuff is particularly interesting; too bad they are not using it for all password encryption (they could, as it's reversible). But then I guess some IOS development groups don't talk to each other.

    A post about "no service password-recovery" (and its interesting side-effects on some platforms) is in the queue.

    And, last but not least, don't be so hard on Nick :) It's always good to see the world from a different perspective (and this particular perspective shows that Cisco should be more aggressive in documenting their security recommendations).

    ReplyDelete
  3. perl -e '@x=unpack("C*","dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87");$s=substr($ARGV[0],0,2,$s);foreach($ARGV[0]=~/../g){$p.=pack("C",hex^$x[$s++]);$s%=$#x}print "$p\n"'

    Problem with long passwords is because many programs has only half lenght of the master key.

    ReplyDelete
  4. For those of you who want/need a type 7 password decrypter that works for long password.

    http://users.jyu.fi/~mesrik/src/some-scripts/ios7decrypt.pl

    ReplyDelete
  5. NSA agent, your script doesn't work for passwords with a large salt value.

    ReplyDelete
  6. To be extremely picky, isn't it technically only "encryption" if the ciphertext is reversible?

    I've always thought that calling the one-way type-5 "encryption" instead of "hashing" was Cisco's way of trying to confuse beginners about cryptographic terminology. But perhaps I'm wrong...

    ReplyDelete
  7. @js: I guess that with proper twisted logic you could prove that type-5 is still encryption, but you're mostly correct.

    They could have retained the "encryption" terminology when type-5 was introduced to avoid beginner's confusion :)

    ReplyDelete
  8. I'd say that the real reason that Cisco still supports the type 7 'enable password', and hasn't converted everything over to type-6 or anything else is backwards compatibility. You can pretty much take a 10 year old config and dump it on a new device and it will still work. The best thing they could do is put out a notice that the older commands are now deprecated and you should use the new syntax.

    ReplyDelete
  9. If you who want to decrypt a type 7 password watch this video http://www.ciscoccnabootcamp.com/index.php/cisco-ccna-640-802-security/46-decrypt-the-enable-password

    ReplyDelete
  10. 57783857
    what pass is that?
    i need it dycripted...

    ReplyDelete
  11. Hi!

    It seems that on Nexus a different 'password 7' algorithm is used.
    A password of 'cisco123' encrypts on Nexus to 'fewhg123'.

    password required 7 fewhg123

    Does anyone have (Perl) code for decoding this?
    Ciao,
    Chris

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.