enable password vs. secret password

johnifanx98

If a router allows both passwords to be present, then which one is used to authenticate? or, both?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Ivanjam

Both can be present, but enable secret trumps enable password. See the note in Cisco IOS Security Command Reference - E [Support] - Cisco Systems

jayskata

enable secret supercedes enable password...it overrides the enable password so to speak even if both commands were applied. Hope that helps

johnifanx98

Ivanjam wrote: »

Both can be present, but enable secret trumps enable password. See the note in Cisco IOS Security Command Reference - E* [Support] - Cisco Systems

Thanks for the notes. I thought the purpose of secret password is to prevent user logging in using enable password from seeing the secret password in plaintext. Now it seems like if both passwords are enabled, then the user logged in must know the secret password. Then what is the point to encrypt the secret password?

theodoxa

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

enable secret was I believe included for backwards compatibility with some VERY OLD devices/IOSes that did not support enable secret.

EdTheLad

The old method i.e. before "enable secret" for putting an enable password on a device was "enable password".
This password would be displayed as clear text via the cli, to encrypt this password so that its not visible you can use the command "service password-encryption" , this uses a type 7 encryption method which is easily reversed, lots of programs available on internet to do this, therefore not safe.
Enable secret uses md5, the output is a hash, it's irreversible ,so very secure. The encrypted secret seen on the cli i.e. ztyty6xtyxtyx is not the actual hash, the hash is 128 bits long, it's just a cosmetic string linked to the actual hash.

johnifanx98

On unix, all passwords are put in the same file, /etc/password. Generally every user can view this file, so it's necessary to encrypt the passwords. However, there is only one privileged user in the router. Then who it protects against?

EdTheLad

Normal practice is to store router configs on a backup server, anybody who has access to the server can view config files, learn the passwords and access the routers. Look at it as an added layer of security that you would prefer to have than not have.

If i was logging an issue, and this hashing wasn't available, every time i did a "show running" i'd have to go and modify my log, just in case i sent someone my enable password by accident.