Passwords with Cisco Router configurations can be stored in a number of different forms. Each with a varied degree of security. Cisco Type 7 based secrets are a very poor and legacy way of storing the password. Anyone with access to the systems running configuration will be able to easily decode the Cisco Type 7 value. This is demonstrated in the form below. A type 7 password is not actually encrypted at all it is simply encoded. The fact that it is encoded means it can be decoded very easily.
The form below uses a simple Python Script to decode the entered value.
Enter a Cisco type 7 secret below to have it decoded immediately. Decoding is virtually instantaneous.
More about Cisco Passwords and Secrets
Over time Cisco has improved the security of its password storage within the standard Cisco Configuration. From
type 0 which is password in plain text up to the latest
type 8 and
type 9 Cisco password storage types.
In this example we can see a
type 0 password configuration. There is no obsfucation or hashing of the password. It simply sits in the configuration in plain text.
enable password mypassword
When looking at a Cisco Configuration file you can easily spot the type of security used with the password by looking for the enable line. Here is an example of a password of type 7:
enable password 7 094F4F1D1A0DDD
You can see that while the password is obfuscated getting the password for this device would not be difficult at all. You could use the form above to quickly decode the type 7 password.
A very common example, that provided significantly more security than the Cisco Type 7 encoding is to use MD5 with a Salt. In the configuration file this would be shown as:
enable secret 5 $1$B8pH$PmmcMRoqfeEtQ7WxL865a0
Additional types of encryption were used, including
type 4 that was found to have a number of flaws. Even though it was encrypted using SHA256 there was no salt used leaving it vulnerable to brute force attacks.
Newer versions of IOS have both
type 8 and
type 9 these are significantly harder to brute force and should be used if you can to keep your systems secure.
As with all password security using a long and complicated string of characters will always make things harder for the attacker (except of course if you are using type 0 or type 7 on a Cisco Device). Both Hashcat and John the Ripper are able to brute force common Cisco password types.