Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNA) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
142329 Views 12 Replies Latest reply: Dec 8, 2013 7:50 AM by Pankaj RSS

Currently Being Moderated

enable secret/enable password

Aug 26, 2010 7:15 AM

kevinlim62 129 posts since
Mar 6, 2010

Hi,

What is the difference between enable secret and enable password? And what command can we used to encrypt password?

 

enable secret [password]      => will this command encrypt the password automatically when we issue this?

enable password [password] => will this command encrypt the password automatically when we issue this?

 

Thanks.

  • Stephen Eke 14 posts since
    Oct 12, 2009
    Currently Being Moderated
    1. Aug 26, 2010 11:01 AM (in response to kevinlim62)
    Re: enable secret/enable password

    hi kev,

    when you set the enable password (password) command it creates an unencrypted password which is in clear text format

    issuing the show running-config command after doin this, shows you d password in clear view.

     

    but when you issue the enable secret (password)command it encrypts the password as can can be seen when

    you show the running config but this password is not good enough as it can be broken easily.there are websites out there

    if you google that can help you break this password

     

    but by issuing the service password-Encryption command at global config mode

    you encrypt all passwords existing on the router with an encytption format that

    is harder or almost impossible to break

     

    HTH

    Stephen Eke

  • Rubin 409 posts since
    Nov 12, 2008
    Currently Being Moderated
    2. Aug 26, 2010 12:37 PM (in response to kevinlim62)
    Re: enable secret/enable password

    Hello Kevin,

     

    enable secret password provides encryption automatically using MD5 hash algorithm. The enable password password does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the enable password password , use the service password-encryption command. To be clear, the enable secret password command provides stronger encryption than the service password-encryption command.

     

    Rubin

     

    Message was edited by: rubinjacksonjr

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,395 posts since
    Oct 7, 2008
    Currently Being Moderated
    3. Aug 26, 2010 1:10 PM (in response to kevinlim62)
    Re: enable secret/enable password

    simplyccna wrote:

     

    Hi

     

    password  Assign the privileged level password
      secret    Assign the privileged level secret

     

    but enable secret password are easy to break

     

    so we need to issue this command in global config mode

     

    service password-encryption

     

    it will encrypt it in better way!

     

    I think you meant the "enable password" is easy to break. 

     

    Typically that's stored in clear text (no breaking necessary).  With "service password-encryption" it performs a mild encryption (easy to break with many apps/web pages) on anything that's clear text.

     

    The "enable secret" though is an MD5 one-way hash, so unless you have a sweet computer and/or a rainbow table, you aren't going to break that one.

     

    Scott

  • Ashish Upadhyay 41 posts since
    Jul 20, 2010

    hi,

     

    which of above is best for network device hardening? I think it is enable secret, what you say?

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    5. Aug 27, 2010 6:51 AM (in response to Ashish Upadhyay)
    Re: enable secret/enable password

    I think it's enable secret to protect the enable key

    and

    service password-encryption not of course to harden but rather to hide all other keys from human eyes.

  • KiranJose 1 posts since
    Jun 25, 2013
    Currently Being Moderated
    6. Oct 11, 2013 4:08 AM (in response to kevinlim62)
    Re: enable secret/enable password

    when you set the enable password (password) command it creates an unencrypted password which is in clear text format.
    when you issue the enable secret (password)command it encrypts the password

  • Darren Starr (CCSI, 4xCCNP, 7xCCNA) 917 posts since
    Feb 10, 2012
    Currently Being Moderated
    7. Oct 11, 2013 10:22 AM (in response to Stephen Eke)
    Re: enable secret/enable password

    Stephen,

     

    Please be careful with your wording in these answers. It was a great attempt. But a simple search on Google yields many wonderful JavaScript based pages that can crack "service password-encryption". Just search Google for "crack cisco type 7 password" and the first 5 responses will do it without a problem.

     

    That being said enable secret will produce a seeded MD5 hash instead of a password. This is not a stored password. Instead it's a hash phrase which is produced by the router using a seed. Feeding another password to the router and applying the seed and running MD5 against it will produce the same password. It is however susceptible to man in the middle attacks since you can supply a challenge against a pre-hashed value.

     

    When using "secret" in combination with the username command, be careful since you can't use a secret for authenticating via CHAP protocols. So PPP accounts may fail if you make use of secret instead of password with type 7 encryption.

     

    The security of type 5 (hence MD5) passwords is negligable as well. The newer versions of "John the Ripper" can produce a password that will hash to the same value as the type 5 stored in your configs in under 15 minutes on my Microsoft Surface Pro which is a very low power tablet PC. I tested this summer when I needed to recover a password from an ASA. Using a "John the ripper" botnet, it can be done in 3 seconds or less on average.

     

    So to be more accurate, one could say :

     

    enable password stores password in clear text

    enable password combined with service password-encryption requires someone looking over your shoulder to memorize a slightly harder phrase long enough to Google "crack type 7 password".

    enable secret produces a hash, it does not encrypt. The hash generated is MUCH harder to remember and can be inconveniencing to the administrator. But is more secure. Though someone who sees it can crack it running free tools available from hundreds of places online with little searching.

  • Brad 327 posts since
    Aug 8, 2012

    That being said enable secret will produce a seeded MD5 hash instead of a password.

     

    Is seeded the same as salted? If not, how are they diferent?

     

    Feeding another password to the router and applying the seed and running MD5 against it will produce the same password.

     

    Are you referring to a collison?

     

    It is however susceptible to man in the middle attacks since you can supply a challenge against a pre-hashed value.

     

    Please explain how this would work during a remote login.

     

    TIA

  • Shakil 88 posts since
    Apr 7, 2013
    Currently Being Moderated
    9. Oct 12, 2013 7:07 AM (in response to kevinlim62)
    Re: enable secret/enable password

    Hi

    Enable screct (password) will automaticaly encrypt the password you used.

    and using just enable passwprd (password) will not encrypt your password.So you have to use "service password encryption" to encrypt.

     

    If you are using both enable password and enable secret password then enable scret password override the enable password.Enable secret passowrd will be given priority and that passwoed will be yours enable password to login into router.

     

    Regards

    Shakil Chand

  • Darren Starr (CCSI, 4xCCNP, 7xCCNA) 917 posts since
    Feb 10, 2012
    Currently Being Moderated
    10. Oct 12, 2013 8:23 AM (in response to Brad)
    Re: enable secret/enable password

    Brad,

     

    Thanks for making me orrect my own errors... typos... I was on my phone when I wrote that and I tend to focus more on typing than on what I'm typing

     

    Ok, yes, I meant salted. Seeding is a similar process in random number generation.

     

    MD5 is definitely not collision proof. I've read multiple papers in the IEEE newsletters on cryptography which factor MD5 down bit by bit. It's also why it is so important to have so many bits. After all, even using ASICs and massive parallel systems, we lack the computing power on earth to brute force an MD5 key. This is why we never approach the topic from trying one at a time. We instead agorithmically narrow our way in towards a result which will generate the same hash.

     

    Let's assume you're working with a challenge attack. If I were to capture even a single exchange between two devices which have the correct passwords, the goal would be to figure out what key would generate the hash containing in the challenge response given the contents of the challenge, the sequence number and the other parts of the packet involved.

     

    One method is to assume the key used to generate the hash was 10 bytes or less and contains only keys typable on an English keyboard. This is a huge rainbow list to work through. Since there is no salt involved, the challenge is the "wildcard" or salt so to say, the current rainbow lists for MD5, SHA-1 and others coming are searchable in a binary tree fashion. So, all you've have to do is search the tree based on which keys would likely generate the next bit of the key. We're still talking about tens of trillions of possibilities to try, but that is within reason to calculate. Using ATI GPUs which are almost idealy suited to MD5 and SHA-1 hashing (as can be seen in BitCoin mining), it is easy to build an almost perfect computer for this on the cheap.

     

    I think I'll try to write a paper which describes this clearly and upload it as a document to the CCNA Security Study group, but I have to drive my wife to a party now.

     

    Hope this clears some things up.

     

    - Darren

  • mohammed 228 posts since
    Jun 27, 2013
    Currently Being Moderated
    11. Dec 6, 2013 3:48 AM (in response to kevinlim62)
    Re: enable secret/enable password

    just a qustion please

     

    if we say enable secret is securer then enable password,

    in ISP data center, why should we take care of the privilige mode security level of a cisco switch. since only dedicated persons work there !

    like: who is going to have access and can view the configurations ?

     

    thanks,

  • Pankaj 41 posts since
    Dec 5, 2013
    Currently Being Moderated
    12. Dec 8, 2013 7:50 AM (in response to mohammed)
    Re: enable secret/enable password

    One more thing

    If you don't have previlage mode password set on your router, you can't get into previlage mode when you are accessing that device through Telnet.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)