Free Cisco Type 7 password decryptor. Decode any Cisco Type 7 encrypted password. These are obfuscated using a fixed Vigenère cipher, not real encryption, and trivial to decode. Useful for recovering passwords from device configs and for security auditing (Type 7 should never be relied on for real protection; use Type 8/9).
When a Cisco IOS config line reads password 7 0822455D0A16, the 7 marks a Type 7 value. Despite looking scrambled, this is not encryption in any meaningful sense: it is obfuscation using a fixed Vigenere cipher with a hard-coded key that has been public for decades. The leading two digits are an offset into that key, and each following pair of hex characters is one plaintext byte XORed with a key byte. Because the key is known and baked into every device, anyone can reverse it, which is exactly what this tool does instantly and entirely in your browser.
Type 7 exists only to stop someone glancing over your shoulder from reading a password off the screen. It provides no real security and was never intended to. If an attacker can see the config, they can recover the plaintext in the time it takes to paste it here, so a Type 7 string should be treated as effectively cleartext.
The practical risk is that Type 7 hashes leak. Configs get pasted into tickets, emails, backups, and chat, and every one of those exposures is a plaintext password to anyone who knows the format. The service password-encryption command that produces Type 7 gives a false sense of protection: it hides passwords from a casual glance but not from anyone who wants them.
For anything that must actually resist recovery, use a real password hash. Type 8 (PBKDF2 with SHA-256) and Type 9 (scrypt) are salted, slow, one-way hashes that cannot be reversed the way Type 7 can, and the older Type 5 (salted MD5) is still far stronger than Type 7. Use this decryptor for auditing and password recovery from old configs, then migrate those credentials to Type 8 or 9.
No. Type 7 is obfuscation, not encryption. It uses a fixed Vigenere cipher with a publicly known key, so any Type 7 password can be reversed to plaintext instantly. It offers no real protection.
The first two digits of the value are an offset into a hard-coded key. Each remaining pair of hex characters is one byte of the password XORed with a key byte. Reversing the XOR with the known key recovers the original text.
Type 7 is reversible obfuscation. Type 5 is salted MD5, Type 8 is PBKDF2 with SHA-256, and Type 9 is scrypt. Types 5, 8 and 9 are one-way salted hashes that cannot be decoded back to plaintext, and Type 8 or 9 is the recommended choice.
No. That command only converts cleartext passwords to Type 7, which any attacker who sees the config can reverse. It stops shoulder-surfing but does nothing against someone who obtains the configuration file.