Enable password or enable secret?

Tuesday, November 20, 2007 07:10 +0100

Enable password or enable secret?

I've stumbled across a blog post that indicates there's still confusion on some fundamental configuration issues. I will not even try to guess whether there is a wide consensus on how to configure a router, but these are the facts (and here is a ten year old position from Cisco):

Type-7 encryption used in enable password has been broken. Source code for the decrypt program and cracker programs are available online, or you could use a router to do it for you.
The type-7 encryption is reversible (and easily breakable due to a weak algorithm), whereas type-5 encryption is a one-way encryption that probably requires a dictionary attack to break.
Based on the previous two facts, you should never use enable password. Use enable secret.
The service password-encryption encodes passwords attached to local usernames with type-7 encryption. The usage of type-7 encryption is necessary as you might need the cleartext passwords in some authentication mechanisms (for example, CHAP). However, it's still better to have scrambled passwords than cleartext ones; at least a casual observer will not be able to read them. Conclusion: use service password-encryption.
If your authentication methods don't need cleartext passwords (examples: local username/password authentication, local AAA authentication or PAP authentication), use username secret configuration command (available from IOS releases 12.2T, 12.3 and 12.0S).

11 comments:

Anonymous 20 November 2007 07:10

And who the heck might Nick Walton be ? ;)

Oh well - to the source - http://tinyurl.com/m5oeu - had to use tinyurl because CCO is now using those horrible 200+ chars URLs . . .

A couple comments:
* most of the freely available Type-7 decryption programs fail with long passwords. I'll see if I can find an email address for you, Ivan, and send you one that actually works

* you forgot to mention Type 6 encryption - aka "Encrypt Pre-shared Keys in IKE" - again, tinyurl to the rescue: http://tinyurl.com/3dj6az

* and considering we're talking about passwords - how about mentioning also the "no service password-recovery" feature? - http://tinyurl.com/yptmfx

I don't write about quantum physics because I know zilch about it. Nick should follow my example and not write about IOS and security ;)

Ivan Pepelnjak 20 November 2007 08:04

To send me an e-mail: go to my bio page and find the link Send a message to Ivan (at the bottom of the main text).

Thanks for all the other comments. The type-6 encryption stuff is particularly interesting; too bad they are not using it for all password encryption (they could, as it's reversible). But then I guess some IOS development groups don't talk to each other.

A post about "no service password-recovery" (and its interesting side-effects on some platforms) is in the queue.

And, last but not least, don't be so hard on Nick :) It's always good to see the world from a different perspective (and this particular perspective shows that Cisco should be more aggressive in documenting their security recommendations).

Anonymous 20 November 2007 14:12

perl -e '@x=unpack("C*","dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87");$s=substr($ARGV[0],0,2,$s);foreach($ARGV[0]=~/../g){$p.=pack("C",hex^$x[$s++]);$s%=$#x}print "$p\n"'

Problem with long passwords is because many programs has only half lenght of the master key.

Anonymous 20 November 2007 15:03

For those of you who want/need a type 7 password decrypter that works for long password.

http://users.jyu.fi/~mesrik/src/some-scripts/ios7decrypt.pl

Anonymous 20 November 2007 15:33

NSA agent, your script doesn't work for passwords with a large salt value.

Jay Swan 20 November 2007 18:03

To be extremely picky, isn't it technically only "encryption" if the ciphertext is reversible?

I've always thought that calling the one-way type-5 "encryption" instead of "hashing" was Cisco's way of trying to confuse beginners about cryptographic terminology. But perhaps I'm wrong...

Ivan Pepelnjak 20 November 2007 20:51

@js: I guess that with proper twisted logic you could prove that type-5 is still encryption, but you're mostly correct.

They could have retained the "encryption" terminology when type-5 was introduced to avoid beginner's confusion :)

Anonymous 20 November 2007 23:30

I'd say that the real reason that Cisco still supports the type 7 'enable password', and hasn't converted everything over to type-6 or anything else is backwards compatibility. You can pretty much take a 10 year old config and dump it on a new device and it will still work. The best thing they could do is put out a notice that the older commands are now deprecated and you should use the new syntax.

Guest 07 September 2009 10:38

If you who want to decrypt a type 7 password watch this video http://www.ciscoccnabootcamp.com/index.php/cisco-ccna-640-802-security/46-decrypt-the-enable-password

Zavic 12 December 2009 22:01

57783857
what pass is that?
i need it dycripted...

csiebert 11 February 2011 20:34

Hi!

It seems that on Nexus a different 'password 7' algorithm is used.
A password of 'cisco123' encrypts on Nexus to 'fewhg123'.

password required 7 fewhg123

Does anyone have (Perl) code for decoding this?
Ciao,
Chris

Recent posts in the same categories

security

configuration

11 comments: