Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCST & CCNA (Entry-level & Associate)
service password-encryption vs. enable password
mguy
service password-encryption vs. enable secret
---
I thought the enable secret is already encrypted? What are the differences between these two commands?
*so sorry, I meant "enable secret" for the encrypted password (on the subject line)
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
fsanyee
enable secret: only enable pass encrypted
service password-encryption: all password on a device is encrypted (vty, con....)
Ltat42a
The enable-secret option encrypts your password when you configure the router. When someone looks at your running config, it will not display your "enable" password. However, if you DO NOT use the service password option, when someone views your running config, it will display all passwords except the "enable secret". It will show what your password is for your console line, and VTY (Telnet). When you DO use the service passsword-encryption, when someone views your running config, those passwords will NOT be displayed.
Like this:
Current configuration : 748 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$GvDaTJK9lhdXRUPWKA74O0
!
- snip -
line con 0
password cisco
login
line vty 0 4
password letmein
login
Here's service password-encryption enabled
Current configuration : 765 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$GvDaTJK9lhdXRUPWKA74O0
- snip -
!
line con 0
password 7 0822455D0A16
login
line vty 0 4
password 7 082D495A041C0C19
login
!
Can't see these passwords!!
HTH
Roguetadhg
Just be aware of this:
IFM - Cisco Password Cracker
ciscoman2012
The best way I like to remember it is:
Enable Secret: hashes your enable password so that even if someone has access to the configuration and could copy / paste the code into a Cisco Password Cracker they still wouldn't be able to figure out what the correct password is.
Service password-encryption: This is used for encrypting all your passwords so that they cannot be easily read by people watching you configure the switch over your shoulder. It is a lot better having the passwords not show clear text as then other people who don't need to be accessing the switch still do not know. Now, you don't want to be passing around your configs to everyone because if they get the config and copy / paste the password, even with service password-encryption enabled, it will be easily crackable in many websites. The only secure way is using enable secret.
sizeon
enable secret
is automatically encrypted when set. Also, it sets a "password' in-order to log into privilege exec mode.
service password-encryption
is a command that encrypts passwords after you reload the device or do a show run command.
Please take note that a "secret" is prefer by the device over a "password"
nikooo
Basic was already described in previous posts, but if we want some reference to Cisco:
Cisco IOS Password Encryption Facts - Cisco Systems
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
