Building network automation solutions

9 module online course

Start now!

Enable password or enable secret?

I've stumbled across a blog post that indicates there's still confusion on some fundamental configuration issues. I will not even try to guess whether there is a wide consensus on how to configure a router, but these are the facts (and here is a ten year old position from Cisco):

We migrated our blog a few days ago, and the commenting functionality is not there yet. In the meantime enjoy the older comments, or find our content on LinkedIn and comment there.


  1. And who the heck might Nick Walton be ? ;)

    Oh well - to the source - - had to use tinyurl because CCO is now using those horrible 200+ chars URLs . . .

    A couple comments:
    * most of the freely available Type-7 decryption programs fail with long passwords. I'll see if I can find an email address for you, Ivan, and send you one that actually works

    * you forgot to mention Type 6 encryption - aka "Encrypt Pre-shared Keys in IKE" - again, tinyurl to the rescue:

    * and considering we're talking about passwords - how about mentioning also the "no service password-recovery" feature? -

    I don't write about quantum physics because I know zilch about it. Nick should follow my example and not write about IOS and security ;)

  2. To send me an e-mail: go to my bio page and find the link Send a message to Ivan (at the bottom of the main text).

    Thanks for all the other comments. The type-6 encryption stuff is particularly interesting; too bad they are not using it for all password encryption (they could, as it's reversible). But then I guess some IOS development groups don't talk to each other.

    A post about "no service password-recovery" (and its interesting side-effects on some platforms) is in the queue.

    And, last but not least, don't be so hard on Nick :) It's always good to see the world from a different perspective (and this particular perspective shows that Cisco should be more aggressive in documenting their security recommendations).

  3. perl -e '@x=unpack("C*","dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87");$s=substr($ARGV[0],0,2,$s);foreach($ARGV[0]=~/../g){$p.=pack("C",hex^$x[$s++]);$s%=$#x}print "$p\n"'

    Problem with long passwords is because many programs has only half lenght of the master key.

  4. For those of you who want/need a type 7 password decrypter that works for long password.

  5. NSA agent, your script doesn't work for passwords with a large salt value.

  6. To be extremely picky, isn't it technically only "encryption" if the ciphertext is reversible?

    I've always thought that calling the one-way type-5 "encryption" instead of "hashing" was Cisco's way of trying to confuse beginners about cryptographic terminology. But perhaps I'm wrong...

  7. @js: I guess that with proper twisted logic you could prove that type-5 is still encryption, but you're mostly correct.

    They could have retained the "encryption" terminology when type-5 was introduced to avoid beginner's confusion :)

  8. I'd say that the real reason that Cisco still supports the type 7 'enable password', and hasn't converted everything over to type-6 or anything else is backwards compatibility. You can pretty much take a 10 year old config and dump it on a new device and it will still work. The best thing they could do is put out a notice that the older commands are now deprecated and you should use the new syntax.

  9. If you who want to decrypt a type 7 password watch this video

  10. 57783857
    what pass is that?
    i need it dycripted...

  11. Hi!

    It seems that on Nexus a different 'password 7' algorithm is used.
    A password of 'cisco123' encrypts on Nexus to 'fewhg123'.

    password required 7 fewhg123

    Does anyone have (Perl) code for decoding this?