when you set the enable password (password) command it creates an unencrypted password which is in clear text format
issuing the show running-config command after doin this, shows you d password in clear view.
but when you issue the enable secret (password)command it encrypts the password as can can be seen when
you show the running config but this password is not good enough as it can be broken easily.there are websites out there
if you google that can help you break this password
but by issuing the service password-Encryption command at global config mode
you encrypt all passwords existing on the router with an encytption format that
is harder or almost impossible to break
enable secret password provides encryption automatically using MD5 hash algorithm. The enable password password does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the enable password password , use the service password-encryption command. To be clear, the enable secret password command provides stronger encryption than the service password-encryption command.
Message was edited by: rubinjacksonjr
password Assign the privileged level password
secret Assign the privileged level secret
but enable secret password are easy to break
so we need to issue this command in global config mode
it will encrypt it in better way!
I think you meant the "enable password" is easy to break.
Typically that's stored in clear text (no breaking necessary). With "service password-encryption" it performs a mild encryption (easy to break with many apps/web pages) on anything that's clear text.
The "enable secret" though is an MD5 one-way hash, so unless you have a sweet computer and/or a rainbow table, you aren't going to break that one.
That being said enable secret will produce a seeded MD5 hash instead of a password. This is not a stored password. Instead it's a hash phrase which is produced by the router using a seed. Feeding another password to the router and applying the seed and running MD5 against it will produce the same password. It is however susceptible to man in the middle attacks since you can supply a challenge against a pre-hashed value.
When using "secret" in combination with the username command, be careful since you can't use a secret for authenticating via CHAP protocols. So PPP accounts may fail if you make use of secret instead of password with type 7 encryption.
The security of type 5 (hence MD5) passwords is negligable as well. The newer versions of "John the Ripper" can produce a password that will hash to the same value as the type 5 stored in your configs in under 15 minutes on my Microsoft Surface Pro which is a very low power tablet PC. I tested this summer when I needed to recover a password from an ASA. Using a "John the ripper" botnet, it can be done in 3 seconds or less on average.
So to be more accurate, one could say :
enable password stores password in clear text
enable password combined with service password-encryption requires someone looking over your shoulder to memorize a slightly harder phrase long enough to Google "crack type 7 password".
enable secret produces a hash, it does not encrypt. The hash generated is MUCH harder to remember and can be inconveniencing to the administrator. But is more secure. Though someone who sees it can crack it running free tools available from hundreds of places online with little searching.
That being said enable secret will produce a seeded MD5 hash instead of a password.
Is seeded the same as salted? If not, how are they diferent?
Feeding another password to the router and applying the seed and running MD5 against it will produce the same password.
Are you referring to a collison?
It is however susceptible to man in the middle attacks since you can supply a challenge against a pre-hashed value.
Please explain how this would work during a remote login.
Enable screct (password) will automaticaly encrypt the password you used.
and using just enable passwprd (password) will not encrypt your password.So you have to use "service password encryption" to encrypt.
If you are using both enable password and enable secret password then enable scret password override the enable password.Enable secret passowrd will be given priority and that passwoed will be yours enable password to login into router.
Thanks for making me orrect my own errors... typos... I was on my phone when I wrote that and I tend to focus more on typing than on what I'm typing
Ok, yes, I meant salted. Seeding is a similar process in random number generation.
MD5 is definitely not collision proof. I've read multiple papers in the IEEE newsletters on cryptography which factor MD5 down bit by bit. It's also why it is so important to have so many bits. After all, even using ASICs and massive parallel systems, we lack the computing power on earth to brute force an MD5 key. This is why we never approach the topic from trying one at a time. We instead agorithmically narrow our way in towards a result which will generate the same hash.
Let's assume you're working with a challenge attack. If I were to capture even a single exchange between two devices which have the correct passwords, the goal would be to figure out what key would generate the hash containing in the challenge response given the contents of the challenge, the sequence number and the other parts of the packet involved.
One method is to assume the key used to generate the hash was 10 bytes or less and contains only keys typable on an English keyboard. This is a huge rainbow list to work through. Since there is no salt involved, the challenge is the "wildcard" or salt so to say, the current rainbow lists for MD5, SHA-1 and others coming are searchable in a binary tree fashion. So, all you've have to do is search the tree based on which keys would likely generate the next bit of the key. We're still talking about tens of trillions of possibilities to try, but that is within reason to calculate. Using ATI GPUs which are almost idealy suited to MD5 and SHA-1 hashing (as can be seen in BitCoin mining), it is easy to build an almost perfect computer for this on the cheap.
I think I'll try to write a paper which describes this clearly and upload it as a document to the CCNA Security Study group, but I have to drive my wife to a party now.
Hope this clears some things up.
In these examples "test" will be used as the password.
This sets a console password. (Unencrypted in a "show run")
Router(config)# line console 0
Router(config-line)# password test
This sets a Telnet/SSH password. (Unencrypted in a "show run")
Router(config)# line vty 0 15
Router(config-line)# password test
This sets a password for priviledge exec mode. (Unencrypted in a "show run")
Router(config)# enable password test
This sets a highly encrypted priviledge exec password. (Encrypted in a "show run")
Router(config)# enable secret test
This will set all unencrypted passwords (current and future) with a low level encryption. (Encrypted in a "show run")
Router(config)# service password-encryption
*Note: If "enable password" has been used before a "enable secret" command, the new "enable secret" will have precedance and will take over as the login credential.
Usaually enable password worked in clear text it is not good for the network.
But we can use this wit the "service password-encryption" command it will take the mid level encryption.
But the "enable secert" give in an MD5 encryption which is best for you.