enable password vs. secret password
johnifanx98
Member Posts: 329
in CCNA & CCENT
If a router allows both passwords to be present, then which one is used to authenticate? or, both?
Comments
-
Ivanjam Member Posts: 978 ■■■■□□□□□□Both can be present, but enable secret trumps enable password. See the note in Cisco IOS Security Command Reference - E [Support] - Cisco SystemsFall 2014: Start MA in Mathematics [X]
Fall 2016: Start PhD in Mathematics [X] -
jayskata Member Posts: 97 ■■□□□□□□□□enable secret supercedes enable password...it overrides the enable password so to speak even if both commands were applied. Hope that helps
-
johnifanx98 Member Posts: 329Both can be present, but enable secret trumps enable password. See the note in Cisco IOS Security Command Reference - E* [Support] - Cisco Systems
Thanks for the notes. I thought the purpose of secret password is to prevent user logging in using enable password from seeing the secret password in plaintext. Now it seems like if both passwords are enabled, then the user logged in must know the secret password. Then what is the point to encrypt the secret password? -
theodoxa Member Posts: 1,340 ■■■■□□□□□□REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST
enable secret was I believe included for backwards compatibility with some VERY OLD devices/IOSes that did not support enable secret.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
EdTheLad Member Posts: 2,111 ■■■■□□□□□□The old method i.e. before "enable secret" for putting an enable password on a device was "enable password".
This password would be displayed as clear text via the cli, to encrypt this password so that its not visible you can use the command "service password-encryption" , this uses a type 7 encryption method which is easily reversed, lots of programs available on internet to do this, therefore not safe.
Enable secret uses md5, the output is a hash, it's irreversible ,so very secure. The encrypted secret seen on the cli i.e. ztyty6xtyxtyx is not the actual hash, the hash is 128 bits long, it's just a cosmetic string linked to the actual hash.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
johnifanx98 Member Posts: 329On unix, all passwords are put in the same file, /etc/password. Generally every user can view this file, so it's necessary to encrypt the passwords. However, there is only one privileged user in the router. Then who it protects against?
-
EdTheLad Member Posts: 2,111 ■■■■□□□□□□Normal practice is to store router configs on a backup server, anybody who has access to the server can view config files, learn the passwords and access the routers. Look at it as an added layer of security that you would prefer to have than not have.
If i was logging an issue, and this hashing wasn't available, every time i did a "show running" i'd have to go and modify my log, just in case i sent someone my enable password by accident.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$