Encrypting Passwords

Problem

You want to encrypt passwords so that they do not appear in plain text in the router configuration file.

Solution

To enable password encryption on a router, use the service password-encryption configuration command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#enable password oreilly
Router1(config)#line vty 0 4
Router1(config-line)#password cookbook
Router1(config-line)#line con 0
Router1(config-line)#password cookbook
Router1(config-line)#line aux 0
Router1(config-line)#password cookbook
Router1(config-line)#exit
Router1(config)#service password-encryption
Router1(config)#end
Router1#

Tip

This command uses a weak, reversible encryption method to encipher VTY and enable passwords. Please see Recipe 3.5 for more details.

Discussion

By default, the router stores all passwords in clear text and presents them in a human-readable format when you look at the router’s configuration. The service password-encryption command encrypts the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse, as we will illustrate in Recipe 3.5.

However, this functionality is still quite useful to prevent nosy neighbors from viewing passwords over your shoulder. As such, encrypting your passwords is still highly recommended in spite of the known weaknesses. You should be aware of the inherent weaknesses of this encryption scheme when ...

Get Cisco IOS Cookbook, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.