Michael Vincent
and 1 contributors


Crypt::Cisco - Commands for Cisco Type 7 Passwords


  use Crypt::Cisco;
  my $clear = cisco_decrypt('121A0C041104');
  my $crypt = cisco_encrypt('cisco');


The following subs implement the type-7 password encryption / decryption. The algorithm is freely available on the Internet on several sites; thus, I can/will NOT take credit or ANY liability for its use.


NOTE: The legacy functions are deprecated and will be removed from a future release:


Use the following instead:

cisco_decrypt() - decrypt a Cisco type 7 password

  my $passwd = cisco_decrypt('00071A150754');

Where 00071A150754 is the encrypted Cisco password in this example.

cisco_encrypt() - encrypt a Cisco type 7 password

  my $passwd = cisco_encrypt('cleartext'[,# | *]);
  print "$_\n" for (@{$passwd});

Where cleartext is the clear text string to encrypt. The second optional argument is a number in the range of 0 - 52 inclusive or random text.

Returns an array of all possible encryptions if random text is the second argument.

  Option  Description            Action
  ------  -----------            -------
          No argument provided   Return a random encryption.
  #       Number 0-52 inclusive  Return password encrypted with # index.
  (other) Random text            Return all 53 possibilities in array.

NOTE: Cisco routers by default only seem to use the first 16 indexes (0 - 15) to encrypt passwords. You notice this by looking at the first two characters of any type 7 encrypted password in a Cisco router configuration. However, testing on IOS 12.x and later shows that manually entering a password encrypted with a higher index (generated from this script) to a Cisco configuration will not only be allowed, but will function normally for authentication. This may be a form of "security through obscurity" given that some older Cisco password decrypters don't use the entire translation index and limit 'valid' passwords to those starting with the fist 16 indexes (0 - 15). Using passwords with an encryption index of 16 - 52 inclusive may render older Cisco password decrypters useless.

Additionally, the Cisco router command prompt seems to be limited to 254 characters, making the largest password 250 characters (254 - 4 characters for the pas (followed by space) command to enter the password).


Load them: use Crypt::Cisco qw(:subs);



This distribution comes with a script (installed to the default bin install directory) that not only demonstrates example uses but also provides functional execution.


This software is released under the same terms as Perl itself. If you don't know what that means visit http://perl.com/.


Copyright (C) Michael Vincent 2010, 2017


All rights reserved