enable password vs. secret password

johnifanx98johnifanx98 Member Posts: 329
in CCNA & CCENT
If a router allows both passwords to be present, then which one is used to authenticate? or, both?
· Share on FacebookShare on Twitter

Comments

  • IvanjamIvanjam Member Posts: 978 ■■■■□□□□□□
    Both can be present, but enable secret trumps enable password. See the note in Cisco IOS Security Command Reference - E  [Support] - Cisco Systems
    Fall 2014: Start MA in Mathematics [X]
    Fall 2016: Start PhD in Mathematics [X]
    · Share on FacebookShare on Twitter
  • jayskatajayskata Member Posts: 97 ■■□□□□□□□□
    enable secret supercedes enable password...it overrides the enable password so to speak even if both commands were applied. Hope that helps icon_thumright.gif
    · Share on FacebookShare on Twitter
  • johnifanx98johnifanx98 Member Posts: 329
    Ivanjam wrote: »
    Both can be present, but enable secret trumps enable password. See the note in Cisco IOS Security Command Reference - E* [Support] - Cisco Systems

    Thanks for the notes. I thought the purpose of secret password is to prevent user logging in using enable password from seeing the secret password in plaintext. Now it seems like if both passwords are enabled, then the user logged in must know the secret password. Then what is the point to encrypt the secret password?
    · Share on FacebookShare on Twitter
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

    enable secret was I believe included for backwards compatibility with some VERY OLD devices/IOSes that did not support enable secret.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    The old method i.e. before "enable secret" for putting an enable password on a device was "enable password".
    This password would be displayed as clear text via the cli, to encrypt this password so that its not visible you can use the command "service password-encryption" , this uses a type 7 encryption method which is easily reversed, lots of programs available on internet to do this, therefore not safe.
    Enable secret uses md5, the output is a hash, it's irreversible ,so very secure. The encrypted secret seen on the cli i.e. ztyty6xtyxtyx is not the actual hash, the hash is 128 bits long, it's just a cosmetic string linked to the actual hash.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • johnifanx98johnifanx98 Member Posts: 329
    On unix, all passwords are put in the same file, /etc/password. Generally every user can view this file, so it's necessary to encrypt the passwords. However, there is only one privileged user in the router. Then who it protects against?
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Normal practice is to store router configs on a backup server, anybody who has access to the server can view config files, learn the passwords and access the routers. Look at it as an added layer of security that you would prefer to have than not have.

    If i was logging an issue, and this hashing wasn't available, every time i did a "show running" i'd have to go and modify my log, just in case i sent someone my enable password by accident.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
Sign In or Register to comment.