The Firewall.cx Cisco Password Decoder Tool (see below) provides readers with the ability to decrypt 'Type 7' cisco passwords.
For security reasons, we do not keep any history of decoded passwords.
Ensure you only enter the encrypted password. For example, for the code below, you would paste the yellow highlighted portion. Do not include anything before the encrypted password.
username fcx password 7 0709285E4B1E18091B5C0814
When ready, click on the Submit button. The system will then process and reveal the text-based password. Ensure there are no space characters in front of your encrypted password.
More Information On Cisco Passwords and Which can be Decoded
Back in late 1995, a non-Cisco source had released a program that was able to decrypt user passwords (and other type of passwords) in Cisco configuration files.
This new program was a major headache for Cisco since most users were relying on Cisco's equipment for their repulation of strong encryption and security capabilities. What users were not aware was that there are two different type of encryption mechanisms used by Cisco's IOS, one which was reversable (Type 7 Passwords) and one which is not (Type 5).
Even until today, administrators and users still make use of the weaker Type 7 passwords, mainly because they aren't aware that these passwords can be decrypted.
Knowing what Can and Cannot be Decrypted
It is important to understand that only the following type of passwords are able to be decrypted. Thefollowing examples show which common areas Type 7 passwords are used in Cisco equipment:
Used to create users with different privilege levels on Cisco devices.
# username chris privilege 15 password 7 02000D490E110E2D40000A01
Used to gain elevated access on the Cisco device.
# enable password 7 01150F165E1C07032D
Access Point SSID Keys
Used to configure the SSID key on a Cisco wireless access point:
dot11 ssid private
authentication key-management wpa
wpa-psk ascii 7 01150F165E1C07032D
If wpa-psk ascii 0 is used then the ascii text that follows is clear text and its not encrypted.
Encryption Methods That Cannot be Decrypted
As opposed to Type 7 Passwords which can easily be decrypted, Secret 5 passwords cannot be decrypted as the password has ben hashed with MD5. This is also the recommened way of creating and storing passwords on your Cisco devices.
Following are a number of examples where Secret 5 passwords can and should be used:
# username chris privilege 15 secret 5 $1$KNaN$SCe/xMbtBEe6ch5d2bq5J.
# enable secret 5 $1$2UjJ$cDZ05dfEGA7mHfE4RSbWiQ.
Unfortunately Access Point SSID Keys do not support Type 5 passwords. This means that any passwords configured into the access point should be stored in a safe place.
We trust the information was valuable and hope users will stop using Type 7 Passwords in mission critical equipment.