Cisco devices store password crypted when “service password-encryption” is turned on. You should enable this on your network equipment.
You want to give imposters a hard time, so this is behavior you want.
Last week I found out a astonishing thing…
I configured a vpn on a Cisco ASA55x0. And misplaced the password.
I had two options;
- give the vpn a new pre-shared key,
- start a little search to find a loop hole. I decided the latter.
Show run or show start gives me, albeit in a decent way, the “finger“. The output is pre-shared key *, just an asterik nothing more nothing less. It gave the a gut feeling that pre-shared key a somewhere parsed and replaced by “*”. I know there is another way to read the config file.
This did the trick. The proper pre-shared key was found after a little tinkering with pipe subcommands.
In hind sight; “show” parses the config file and replaces the password information. Whereas “more” does not parse the config file, it shows the content.
I do not know which software versions are affected. But I do know that you must keep access to the nodes restricted to the people and systems that must have access. In other words: keep your config files and access to the config files safe.