Cisco VPN password recovery program

Florian Weimer fw at
Thu Oct 20 15:34:22 EDT 2005

> - - ---------------------
> Cisco Client Parameters
> Allow Password Storage on Client - Check this box to allow IPSec
> clients to store their login passwords on their local client
> systems. If you do not allow password storage (the default), IPSec
> users must enter their password each time they seek access to the
> VPN. For maximum security, we recommend that you not allow password
> storage.
> - - ---------------------

I really doubt that this affects group password (PSK).

In some cases, network administrators used the password obfuscation to
force their users to use Cisco's VPN client.  Competing products, such
as vpnc, do not enforce client-side policies.  However, there's been a
website where you can upload the obfuscated password, and it returns
the password in clear text for quite some time now.  It is implemented
by running the Cisco client under a debugging tool, intercepting a
memcpy call that copies the password.

In the end, the publication of the algorithm doesn't change the
security of the system (there wasn't much to start with).  But it's
certainly easier to write interoperable software using this

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list