RE: user <user> secret <password> and CHAP doubt posted 07/24/2005
- Subject: RE: user <user> secret <password> and CHAP doubt
- From: "Gustavo Novais" <gustavo.novais@xxxxxxxxxxx>
- Date: Sun, 24 Jul 2005 18:10:39 +0100
- Content-class: urn:content-classes:message
- Thread-index: AcWQchBhifPxpHqEQBSshM8qYw8+kwAAKH4g
- Thread-topic: user <user> secret <password> and CHAP doubt
I know, the problem is that you can decode the encrypted password in
about 3 seconds (time to open one of many pass decoders that exist,
insert what you see on config, and that's it - 3 Sec flat)
The purpose of the exercise was to use user secret, but they forgot it
doesn't work with CHAP...
From: Arun Arumuganainar [mailto:aarumuga@xxxxxxxxxxx]
Sent: domingo, 24 de Julho de 2005 18:07
To: Gustavo Novais; lab
Subject: Re: user <user> secret <password> and CHAP doubt
Turn on " Service password-encryption "
What this actually does . Is it will encrypt it so that any one who have
access to running configuration will not be able to make out .
This will work with PPP perfectly fine .
Thanks and Regards
----- Original Message -----
From: "Gustavo Novais" <gustavo.novais@xxxxxxxxxxx>
To: "lab" <ccielab@xxxxxxxxxxxxxx>
Sent: Sunday, July 24, 2005 10:01 PM
Subject: user <user> secret <password> and CHAP doubt
> I'm doing a lab on which the requirement is that we use CHAP
> authentication, but on one of the involved routers the username for
> the remote must be stored as such you shouldn't be able to decode the
> password from the config.
> This points me to user XXX secret pass, which encrypts the pass with
> The thing is, as stated on
> CHAP doesn't "like" that we store the passwords as MD5, It needs them
> to be on plain text so he can derive its own md5 challenge.
> I can turn around the issue by simply not authenticating the remote
> side, thus no need of local username, and then it can be whatever I
> want. But I think this ugly...
> this appeared on IPexpert challenge 26, ISDN question.
> Any thoughts?
> PS. I can also see what is the hash of the password and use the hash
> instead of the password, and store it as plain text, but this would be
> even uglier...
> _ Subscription information may be found at: