cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2096
Views
0
Helpful
6
Replies

Password showing in running configuration on 3750's and 3560's

NJackson3
Level 1
Level 1

Hi All,

Forigve the stupid question here but I was just backing up the running configuration on the switches at work before we have a big powerdown at the weekend and I noticed that the passwords to access the switches are showing in readable text in the running configuration. Under line vty 0.4 and line vt 5.15 there is an entry for the password.

I have never seen this before in cisco switch running configurations so I was just wondering if it was normal? I'm new to the company so before I go rock the boat I thought I would ask if it is just a normal occurance as I've never seen it before on other 29 series switches that I have worked with.

If it isn't normal should I just remove it from the configuration files and then write mem to write a new config file minus the passwords? Just seems a bit risky to have passwords showing in plain sight especially if somebody ever saw the configuration file?

Any advice on the above would be greatly appreciated?

Thanks.

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

There is an option for service password-encryption which is not enabled by default. Most of us enable it as one of the first things we do in configuring IOS devices. Sounds like the switches you have seen before have the service enabled and this switch does not.  I suggest that you enable the service on this switch. I urge you to be very VERY careful about just removing the passwords.

HTH

Rick

HTH

Rick

View solution in original post

glen.grant
VIP Alumni
VIP Alumni

  No do not remove the passwords . As Rick said it's missing the "service password-encryption "  command. Just add it and the passwords will be non readable  unless you have one of the hundreds of available cisco password crackers !!  

View solution in original post

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

There is an option for service password-encryption which is not enabled by default. Most of us enable it as one of the first things we do in configuring IOS devices. Sounds like the switches you have seen before have the service enabled and this switch does not.  I suggest that you enable the service on this switch. I urge you to be very VERY careful about just removing the passwords.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for the advice I will enable that service on our switches then for added security thank you very much for responding I didn't want to remove the passwords so will heed your advice there.

Cheers,

Nick

glen.grant
VIP Alumni
VIP Alumni

  No do not remove the passwords . As Rick said it's missing the "service password-encryption "  command. Just add it and the passwords will be non readable  unless you have one of the hundreds of available cisco password crackers !!  

Parvesh Paliwal
Level 3
Level 3

This is what is called device hardening. While configuring an intial requirement, it is recommended to go through the basic hardening. You can encrypt the passwords using the command - service password-encryption.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

--

Parvesh

Thanks when I try entering the command service password-encryption I get invalid marker detected at the third character in the word service is their a condensed form of this command so that I can turn this service on please?

I am trying to enable the service password-encryption from the elevated access mode on the switch or do I need to be in just the normal mode? I thought that in order to make any configuration changes and be able to write those changes to memory you had to be in the elevated access mode?

The syntax/ command is :

Router(config)#  service password-encryption

feel free to revert for further support.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco