Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1794
Views
0
Helpful
3
Replies

Recovering / Decoding Users Passwords In ACS

djcroark
Level 1
Level 1

‎07-07-2003 04:54 AM - edited ‎03-10-2019 07:23 AM

We have currently got a number of users who forget their passwords, change them and then seem to forget them again in a matter of 2-3 days, we are looking for a way of decrypting these users passwords from the Cisco User DB in ACS 2.6.4.

When I do a dump I get the password field in the following format

0x0020 85 55 cb ea fe 5f d2 a6 19 58 93 e2 fd ed 99 86 6d 30 22 64 73 50 6c 8f c1 db 62 ed 97 4f 31 8f

Can someone tell me what this is / Means, and how to decrypt it!

Could anyone give me some ideas on how this might be acheived, preferably not via a brute force attack.

Labels:
0 Helpful
3 Replies 3

kgraham
Level 1
Level 1

‎07-08-2003 02:34 AM

Personally I would hope that the passwords would be very difficult if not impossible to decode. If word went out that the database was compromisable hackers everywhere would think of methods to find these boxes and have their jollies. Mind you I may be a bit paranoid.

As for the users that keep forgetting their passwords. Make them wait a day for the password the second time around and increase that length by a day each time they call you. Eventually they will learn that remembering is a good thing. Do they forget their phone number, bank pin, and window's login? Probably the later but not the first two. Users need to take responsiblity for their passwords and if forgetting it every few days is their norm then they need to rethink their priorities.

As an alternative, you could think of giving them a one time password fob (secureID). That way they could use their bank pin as the 4 digits and then use the generated password as the remainder. This way they could forget it all they want, it changes every minute. *grins*

KIm

0 Helpful

djcroark
Level 1
Level 1
In response to kgraham

‎07-08-2003 02:52 AM

Kim although I agree with you this does not help me to solve this problem in a simple way for both myself and the users... what I really need is a way to be able to recover the passwords..... Otherwise I fear we may have to change to another radius server to be able to accomplish this task!

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to djcroark

‎07-09-2003 04:51 PM

Cisco does not provide a way for customers to decrypt this password, as the previous poster said this would be a huge security risk.

Why don't you just check the "Apply password change rule" in the group settings on ACS, then when a user forgets their password get in and change their password to something simple and let them know what it is. The next time they log in they'll be forced to change their password to something else.

This is a lot easier than having to dump the database each time and decrypt their password (which you can't do anyway).

0 Helpful
Customers Also Viewed These Support Documents