Enable password or enable secret?
I've stumbled across a blog post that indicates there's still confusion on some fundamental configuration issues. I will not even try to guess whether there is a wide consensus on how to configure a router, but these are the facts (and here is a ten year old position from Cisco):
- Type-7 encryption used in enable password has been broken. Source code for the decrypt program and cracker programs are available online, or you could use a router to do it for you.
- The type-7 encryption is reversible (and easily breakable due to a weak algorithm), whereas type-5 encryption is a one-way encryption that probably requires a dictionary attack to break.
- Based on the previous two facts, you should never use enable password. Use enable secret.
- The service password-encryption encodes passwords attached to local usernames with type-7 encryption. The usage of type-7 encryption is necessary as you might need the cleartext passwords in some authentication mechanisms (for example, CHAP). However, it's still better to have scrambled passwords than cleartext ones; at least a casual observer will not be able to read them. Conclusion: use service password-encryption.
- If your authentication methods don't need cleartext passwords (examples: local username/password authentication, local AAA authentication or PAP authentication), use username secret configuration command (available from IOS releases 12.2T, 12.3 and 12.0S).
Posts
10 comments:
And who the heck might Nick Walton be ? ;)
Oh well - to the source - http://tinyurl.com/m5oeu - had to use tinyurl because CCO is now using those horrible 200+ chars URLs . . .
A couple comments:
* most of the freely available Type-7 decryption programs fail with long passwords. I'll see if I can find an email address for you, Ivan, and send you one that actually works
* you forgot to mention Type 6 encryption - aka "Encrypt Pre-shared Keys in IKE" - again, tinyurl to the rescue: http://tinyurl.com/3dj6az
* and considering we're talking about passwords - how about mentioning also the "no service password-recovery" feature? - http://tinyurl.com/yptmfx
I don't write about quantum physics because I know zilch about it. Nick should follow my example and not write about IOS and security ;)
To send me an e-mail: go to my bio page and find the link Send a message to Ivan (at the bottom of the main text).
Thanks for all the other comments. The type-6 encryption stuff is particularly interesting; too bad they are not using it for all password encryption (they could, as it's reversible). But then I guess some IOS development groups don't talk to each other.
A post about "no service password-recovery" (and its interesting side-effects on some platforms) is in the queue.
And, last but not least, don't be so hard on Nick :) It's always good to see the world from a different perspective (and this particular perspective shows that Cisco should be more aggressive in documenting their security recommendations).
perl -e '@x=unpack("C*","dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87");$s=substr($ARGV[0],0,2,$s);foreach($ARGV[0]=~/../g){$p.=pack("C",hex^$x[$s++]);$s%=$#x}print "$p\n"'
Problem with long passwords is because many programs has only half lenght of the master key.
For those of you who want/need a type 7 password decrypter that works for long password.
http://users.jyu.fi/~mesrik/src/some-scripts/ios7decrypt.pl
NSA agent, your script doesn't work for passwords with a large salt value.
To be extremely picky, isn't it technically only "encryption" if the ciphertext is reversible?
I've always thought that calling the one-way type-5 "encryption" instead of "hashing" was Cisco's way of trying to confuse beginners about cryptographic terminology. But perhaps I'm wrong...
@js: I guess that with proper twisted logic you could prove that type-5 is still encryption, but you're mostly correct.
They could have retained the "encryption" terminology when type-5 was introduced to avoid beginner's confusion :)
I'd say that the real reason that Cisco still supports the type 7 'enable password', and hasn't converted everything over to type-6 or anything else is backwards compatibility. You can pretty much take a 10 year old config and dump it on a new device and it will still work. The best thing they could do is put out a notice that the older commands are now deprecated and you should use the new syntax.
If you who want to decrypt a type 7 password watch this video http://www.ciscoccnabootcamp.com/index.php/cisco-ccna-640-802-security/46-decrypt-the-enable-password
57783857
what pass is that?
i need it dycripted...
This blog is using JS-Kit comments. You have to enable JavaScript if you want to post a comment.