What's the purpose of service password encryption in CISCO?
In Cisco IOS there's the service password-encryption command to encrypt all passwords in the config file to prevent unauthorised individuals from viewing them. quoting from http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
Caution The service password-encryption command does not provide a high level of network security. If you use this command, you should also take additional network security measures
then it's written:
Although you cannot recover a lost encrypted password(that is, you cannot get the original password back)
(that is, you cannot get the original password back) So what do they mean exactly? It does not protect very much because of weak encryption used or because it only protects users from viewing the password in the config file? I'm confused because in the Networking Academy material they say The service password-encryption command applies weak encryption to all unencrypted passwords.
So is it weak because it's easy to crack?
It is weak/not secure because it is easy to crack. The original implementation of service password encryption was to prevent the "over-the-shoulder" attack and for random people who might have had access to the config file but don't actually know what they are doing. Any attacker who knows what they are doing isn't going to be stopped by the password encryption service, that is why Cisco says to take additional network security measures to prevent the attacker from getting to that point to begin with. Example: You can set up users on the Cisco device and specify which commands that user can actually execute which is better then having one "admin" user who can access everything. This can be accomplished using an AAA server and Tacacs+. Also MD5, while stronger, is considered weak as there are online tools that have databases with billions and billions of already hashed passwords. Length is your friend when creating a password. Example: an 8 character password, no matter how many fancy symbols and characters you use, can be cracked within minutes.