Password7Decrypt

Encoding vs. Encryption vs. Hashing

These three words show up interchangeably in vendor docs, job interviews, and Slack threads — and mixing them up leads to real security mistakes. Here's the practical difference.

The One-Sentence Version of Each

Cisco Type 7 gets called "encryption" in a lot of documentation and forum posts, but functionally it's closer to encoding: there's no secret key involved, just a fixed, publicly documented XOR table. Anyone with the algorithm — which has been public for decades — can reverse it instantly. That's why tools like our own Type 7 decoder exist and work reliably on every valid hash.

Encoding: Base64, URL Encoding, Type 7

Encoding exists to make data safe to transmit or store in a particular format — not to hide it. Base64 turns binary data into ASCII text so it survives email transport. URL encoding escapes special characters so a query string doesn't break. Cisco Type 7 XORs each byte against a fixed 53-entry lookup table so a password doesn't sit in the config file as raw plaintext at a glance.

The common thread: none of these require a secret to reverse. The "key" — if you can call it that — is the algorithm itself, and the algorithm is public. Security through this kind of obfuscation only works against a human skimming a file with their eyes, not against anyone who bothers to look up how the encoding works.

Encryption: AES, and Cisco Type 6

Real encryption requires a key that isn't embedded in the same document as the ciphertext (ideally). AES-256, for example, is computationally infeasible to reverse without the key, even with significant compute resources. Cisco's Type 6 password encryption is a genuine (if dated) example on IOS devices: passwords are AES-encrypted using a master key stored separately via the key config-key password-encrypt command — meaning a leaked config file alone isn't enough to recover the passwords, unlike Type 7.

The security of any encryption scheme lives entirely in how well the key is protected. An encrypted config file with the key sitting in the same backup archive offers little more protection than Type 7 does.

Hashing: SHA-256, scrypt, and Cisco Type 8/9

Hashing is the only one-way transformation of the three. Feed it any input and you get a fixed-length output; feed it the same input again and you get the same output, but there's no mathematical way to go backward from the hash to the original input. This is exactly what you want for password storage: the system only ever needs to verify a login attempt, never recover the original password.

Cisco Type 8 (PBKDF2-SHA256) and Type 9 (scrypt) are both salted, iterated hashes designed specifically to resist brute-force and rainbow-table attacks — scrypt additionally makes large-scale GPU cracking expensive by being memory-hard. Neither can be "decoded" the way Type 7 can. If you've forgotten a Type 8/9 password, the only real recovery path is resetting it, not reversing it — that's the entire point.

Quick Reference

Category Reversible? Needs a secret key? Example
Encoding Yes, always No Base64, Cisco Type 7
Encryption Yes, with the key Yes AES-256, Cisco Type 6
Hashing No, never No (uses a salt instead) SHA-256, scrypt, Cisco Type 8/9
Related reading: Ready to move off Type 7? See Migrating from Type 7 to Type 9 for a step-by-step process.