[2287] in bugtraq
cisco enable passwords (was: Re: livingston.. )
daemon@ATHENA.MIT.EDU (David Carrel)
Fri Sep 29 21:46:15 1995
Date: Fri, 29 Sep 1995 14:52:07 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: David Carrel <carrel@cisco.com>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Fri, 29 Sep 1995 19:22:40 +1000."
<199509290922.TAA01577@suburbia.net>
> > Am I looking at an out of date or fukt configuration, or are ROOT PASSWORDS
> > really stored in the CLEAR in configuration files?!
> >
> > C'mon, guys, cisco fixed that one at least five years ago.
>
> They did except you can decrypt the passwords in about 1/1000th of a second ;
The original cisco password "encryption" should never have been given that
name. It is not encryption and engineering never intended it to serve that
purpose. It's purpose was merely to stop casual observers from grabing
passwords by looking over your shoulders. It's arguable if that ever
should have been done, but that is what was done. The problem is that many
passwords on a cisco router need to be reversible in order to support
protocols like ARAP and PPP's CHAP. Reversible encryption is a difficult
problem when you have no secure storage.
Current cisco products support a true one-way encryption scheme for enable
passwords (our equivalent of a ROOT password). It is quite robust. Look
for "enable secret" in your cisco config.
Dave
