|Almost all passwords and other authentication strings in Cisco IOS configuration files are encrypted using the weak, reversible scheme used for user passwords. Cisco devices can use a proprietary encryption algorithm to encrypt the password for enable mode and vty lines. This kind of encryption is used when "service password-encryption" has been enabled on the device and produces Type-7 passwords. Cisco Enable Password (not enable secret), User passwords and most other passwords like VTY Password, Console Password, AUX Password in Cisco IOS configuration files are encrypted using a scheme that is very weak by modern cryptographic standards. Type 7 Passwords are not secure and can easily be decrypted. Cisco type 7 Password could be identifying as a password in the configuration file with a '7' in the second to last field. A Cisco Type 7 Passwords is encrypted using Cisco's weak proprietary algorithm.
Secure Bytes has recently released a new program to decrypt user passwords (and other passwords) in Cisco configuration files. Cisco Type 7 Password Decryption tool embedded into Secure Auditor decrypts Cisco type 7 passwords with a single click. Secure Cisco Type 7 Password decrypter is a Windows-based programs that
allow user to enter a Cisco Type 7 decrypted password, and the program will immediately return the clear-text password. User simply needs to cut and pastes the encrypted password into the dialog box;the decoder will do the rest. Once user place the encrypted password and press 'Decrypt' then Cisco Type 7 Password Decryption tool will automatically show the password after decrypting it.
The program will not decrypt passwords set with the "enable secret" command. Cisco Type 7 Password Decryption tool is proof of concept network security tool that the user should try to avoid type 7 Passwords and use more effective type 5 Passwords (enable secret) on Cisco Routers, although Enable secret passwords are not trivial to decrypt with the help of Cisco MD5 Password Auditor. It depicts that Cisco customers have led us to suspect that many customers are relying on Cisco password encryption for more security than it was designed to provide. Due to weak password encryption algorithm, it has always been Cisco's position that customers should treat any configuration file containing passwords as sensitive information, the same way they would treat a cleartext list of passwords.