Service Password-Encryption Command on CISCO Router/Switch


Service Password-Encryption


Allows you to encrypt all passwords on your router so they can not be easily guessed from your running-config.
This command uses a very weak encryption because the router has to be very quickly decode the passwords for its operation.
It is meant to prevent someone from looking over your shoulder and seeing the password, that is all.


R2(config)#service password-encryption


In the below example we will set a password for telnet then we will encrypt it.

R2(config)#line vty 0 4
R2(config-line)#password cisco

R2(config-line)#do sh run | sec vty
line vty 0 4
password cisco
transport input telnet ssh

Now we will encrypt the password with service password-encryption

R2(config)#service password-encryption
R2(config)#do sh run | sec vty
line vty 0 4
password 7 060506324F41
transport input telnet ssh

To illustrate how easy it is to decode the password, we will make a key chain like you would to authenticate RIP

R2(config)#key chain CRACK_ENCRYPTION
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string 7 060506324F41

R2#show key chain
key 1 — text “cisco”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]