1 2 Previous Next 23 Replies Latest reply: Apr 10, 2015 1:42 PM by Dimosthenis Atteia RSS

    enable secret/enable password

    kevinlim62
      Powerful, on-demand CCNA and CCNP Resources:
      Cisco Learning Network Premium

      Hi,

      What is the difference between enable secret and enable password? And what command can we used to encrypt password?

       

      enable secret [password]      => will this command encrypt the password automatically when we issue this?

      enable password [password] => will this command encrypt the password automatically when we issue this?

       

      Thanks.

        • 1. Re: enable secret/enable password
          Stephen Eke

          hi kev,

          when you set the enable password (password) command it creates an unencrypted password which is in clear text format

          issuing the show running-config command after doin this, shows you d password in clear view.

           

          but when you issue the enable secret (password)command it encrypts the password as can can be seen when

          you show the running config but this password is not good enough as it can be broken easily.there are websites out there

          if you google that can help you break this password

           

          but by issuing the service password-Encryption command at global config mode

          you encrypt all passwords existing on the router with an encytption format that

          is harder or almost impossible to break

           

          HTH

          Stephen Eke

          • 2. Re: enable secret/enable password
            Rubin

            Hello Kevin,

             

            enable secret password provides encryption automatically using MD5 hash algorithm. The enable password password does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the enable password password , use the service password-encryption command. To be clear, the enable secret password command provides stronger encryption than the service password-encryption command.

             

            Rubin

             

            Message was edited by: rubinjacksonjr

            • 3. Re: enable secret/enable password
              Scott Morris - CCDE/4xCCIE/2xJNCIE

              simplyccna wrote:

               

              Hi

               

              password  Assign the privileged level password
                secret    Assign the privileged level secret

               

              but enable secret password are easy to break

               

              so we need to issue this command in global config mode

               

              service password-encryption

               

              it will encrypt it in better way!

               

              I think you meant the "enable password" is easy to break. 

               

              Typically that's stored in clear text (no breaking necessary).  With "service password-encryption" it performs a mild encryption (easy to break with many apps/web pages) on anything that's clear text.

               

              The "enable secret" though is an MD5 one-way hash, so unless you have a sweet computer and/or a rainbow table, you aren't going to break that one.

               

              Scott

              • 4. Re: enable secret/enable password
                Ashish Upadhyay

                hi,

                 

                which of above is best for network device hardening? I think it is enable secret, what you say?

                • 5. Re: enable secret/enable password
                  Sey

                  I think it's enable secret to protect the enable key

                  and

                  service password-encryption not of course to harden but rather to hide all other keys from human eyes.

                  • 6. Re: enable secret/enable password
                    KiranJose

                    when you set the enable password (password) command it creates an unencrypted password which is in clear text format.
                    when you issue the enable secret (password)command it encrypts the password

                    • 7. Re: enable secret/enable password
                      Darren Starr (CCSI, 4xCCNP, 7xCCNA)

                      Stephen,

                       

                      Please be careful with your wording in these answers. It was a great attempt. But a simple search on Google yields many wonderful JavaScript based pages that can crack "service password-encryption". Just search Google for "crack cisco type 7 password" and the first 5 responses will do it without a problem.

                       

                      That being said enable secret will produce a seeded MD5 hash instead of a password. This is not a stored password. Instead it's a hash phrase which is produced by the router using a seed. Feeding another password to the router and applying the seed and running MD5 against it will produce the same password. It is however susceptible to man in the middle attacks since you can supply a challenge against a pre-hashed value.

                       

                      When using "secret" in combination with the username command, be careful since you can't use a secret for authenticating via CHAP protocols. So PPP accounts may fail if you make use of secret instead of password with type 7 encryption.

                       

                      The security of type 5 (hence MD5) passwords is negligable as well. The newer versions of "John the Ripper" can produce a password that will hash to the same value as the type 5 stored in your configs in under 15 minutes on my Microsoft Surface Pro which is a very low power tablet PC. I tested this summer when I needed to recover a password from an ASA. Using a "John the ripper" botnet, it can be done in 3 seconds or less on average.

                       

                      So to be more accurate, one could say :

                       

                      enable password stores password in clear text

                      enable password combined with service password-encryption requires someone looking over your shoulder to memorize a slightly harder phrase long enough to Google "crack type 7 password".

                      enable secret produces a hash, it does not encrypt. The hash generated is MUCH harder to remember and can be inconveniencing to the administrator. But is more secure. Though someone who sees it can crack it running free tools available from hundreds of places online with little searching.

                      • 8. Re: enable secret/enable password
                        Brad

                        That being said enable secret will produce a seeded MD5 hash instead of a password.

                         

                        Is seeded the same as salted? If not, how are they diferent?

                         

                        Feeding another password to the router and applying the seed and running MD5 against it will produce the same password.

                         

                        Are you referring to a collison?

                         

                        It is however susceptible to man in the middle attacks since you can supply a challenge against a pre-hashed value.

                         

                        Please explain how this would work during a remote login.

                         

                        TIA

                        • 9. Re: enable secret/enable password
                          Shakil

                          Hi

                          Enable screct (password) will automaticaly encrypt the password you used.

                          and using just enable passwprd (password) will not encrypt your password.So you have to use "service password encryption" to encrypt.

                           

                          If you are using both enable password and enable secret password then enable scret password override the enable password.Enable secret passowrd will be given priority and that passwoed will be yours enable password to login into router.

                           

                          Regards

                          Shakil Chand

                          • 10. Re: enable secret/enable password
                            Darren Starr (CCSI, 4xCCNP, 7xCCNA)

                            Brad,

                             

                            Thanks for making me orrect my own errors... typos... I was on my phone when I wrote that and I tend to focus more on typing than on what I'm typing

                             

                            Ok, yes, I meant salted. Seeding is a similar process in random number generation.

                             

                            MD5 is definitely not collision proof. I've read multiple papers in the IEEE newsletters on cryptography which factor MD5 down bit by bit. It's also why it is so important to have so many bits. After all, even using ASICs and massive parallel systems, we lack the computing power on earth to brute force an MD5 key. This is why we never approach the topic from trying one at a time. We instead agorithmically narrow our way in towards a result which will generate the same hash.

                             

                            Let's assume you're working with a challenge attack. If I were to capture even a single exchange between two devices which have the correct passwords, the goal would be to figure out what key would generate the hash containing in the challenge response given the contents of the challenge, the sequence number and the other parts of the packet involved.

                             

                            One method is to assume the key used to generate the hash was 10 bytes or less and contains only keys typable on an English keyboard. This is a huge rainbow list to work through. Since there is no salt involved, the challenge is the "wildcard" or salt so to say, the current rainbow lists for MD5, SHA-1 and others coming are searchable in a binary tree fashion. So, all you've have to do is search the tree based on which keys would likely generate the next bit of the key. We're still talking about tens of trillions of possibilities to try, but that is within reason to calculate. Using ATI GPUs which are almost idealy suited to MD5 and SHA-1 hashing (as can be seen in BitCoin mining), it is easy to build an almost perfect computer for this on the cheap.

                             

                            I think I'll try to write a paper which describes this clearly and upload it as a document to the CCNA Security Study group, but I have to drive my wife to a party now.

                             

                            Hope this clears some things up.

                             

                            - Darren

                            • 11. Re: enable secret/enable password
                              mohammed

                              just a qustion please

                               

                              if we say enable secret is securer then enable password,

                              in ISP data center, why should we take care of the privilige mode security level of a cisco switch. since only dedicated persons work there !

                              like: who is going to have access and can view the configurations ?

                               

                              thanks,

                              • 12. Re: enable secret/enable password
                                Pankaj

                                One more thing

                                If you don't have previlage mode password set on your router, you can't get into previlage mode when you are accessing that device through Telnet.

                                • 13. Re: enable secret/enable password
                                  Benoit

                                  In these examples "test" will be used as the password.

                                   

                                  This sets a console password. (Unencrypted in a "show run")

                                   

                                  Router(config)#  line console 0

                                  Router(config-line)#  password test

                                  Router(config-line)#  login

                                   

                                  This sets a Telnet/SSH password. (Unencrypted in a "show run")

                                   

                                  Router(config)# line vty 0 15

                                  Router(config-line)# password  test

                                  Router(config-line)# login

                                   

                                  This sets a password for priviledge exec mode. (Unencrypted in a "show run")

                                   

                                  Router(config)# enable password test

                                   

                                  This sets a highly encrypted priviledge exec password. (Encrypted in a "show run")

                                   

                                  Router(config)# enable secret test

                                   

                                  This will set all unencrypted passwords (current and future) with a low level encryption. (Encrypted in a "show run")

                                   

                                  Router(config)# service password-encryption

                                   

                                  *Note: If "enable password" has been used before a "enable secret" command, the new "enable secret" will have precedance and will take over as the login credential.

                                  • 14. Re: enable secret/enable password
                                    R.K.T.

                                    Hello kevinlim62                       

                                     

                                          Usaually enable password worked in clear text it is not good for the network.

                                    But we can use this wit the "service password-encryption" command it will take the mid level encryption.

                                    But the "enable secert" give in an MD5 encryption which is best for you.

                                     

                                    Regards

                                    RKT

                                    1 2 Previous Next