service password-encryption vs. enable password

mguy

service password-encryption vs. enable secret
---

I thought the enable secret is already encrypted? What are the differences between these two commands?

*so sorry, I meant "enable secret" for the encrypted password (on the subject line)

fsanyee

enable secret: only enable pass encrypted
service password-encryption: all password on a device is encrypted (vty, con....)

Ltat42a

The enable-secret option encrypts your password when you configure the router. When someone looks at your running config, it will not display your "enable" password. However, if you DO NOT use the service password option, when someone views your running config, it will display all passwords except the "enable secret". It will show what your password is for your console line, and VTY (Telnet). When you DO use the service passsword-encryption, when someone views your running config, those passwords will NOT be displayed.

Like this:
Current configuration : 748 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$GvDaTJK9lhdXRUPWKA74O0
!
- snip -

line con 0
password cisco
login
line vty 0 4
password letmein
login


Here's service password-encryption enabled

Current configuration : 765 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$GvDaTJK9lhdXRUPWKA74O0

- snip -

!
line con 0
password 7 0822455D0A16
login
line vty 0 4
password 7 082D495A041C0C19
login
!

Can't see these passwords!!

HTH

Roguetadhg

Just be aware of this: IFM - Cisco Password Cracker

ciscoman2012

The best way I like to remember it is:

Enable Secret: hashes your enable password so that even if someone has access to the configuration and could copy / paste the code into a Cisco Password Cracker they still wouldn't be able to figure out what the correct password is.

Service password-encryption: This is used for encrypting all your passwords so that they cannot be easily read by people watching you configure the switch over your shoulder. It is a lot better having the passwords not show clear text as then other people who don't need to be accessing the switch still do not know. Now, you don't want to be passing around your configs to everyone because if they get the config and copy / paste the password, even with service password-encryption enabled, it will be easily crackable in many websites. The only secure way is using enable secret.

sizeon

enable secret is automatically encrypted when set. Also, it sets a "password' in-order to log into privilege exec mode.
service password-encryption is a command that encrypts passwords after you reload the device or do a show run command.

Please take note that a "secret" is prefer by the device over a "password"

nikooo

Basic was already described in previous posts, but if we want some reference to Cisco: Cisco IOS Password Encryption Facts - Cisco Systems