Options
enable password encryption vs service password-encryption
NigelStorm
Registered Users Posts: 2 ■□□□□□□□□□
in CCNA & CCENT
G'day guys,
Totally new to the world of Cisco/CCNA and currently attending my Cisco Network Academy Stage 1 program. As I'm in the processing of doing my tests and particularly in Chapter 6, I have found that if I incorrectly enter the wrong command in
enable password encryption instead of
service password-encryption
I cannot login at the EXEC level anymore. This mean its screws up the "enable secret" password and won't let me in no matter what.
Is there any way to fix this without having to shut down the whole exam and start again? Surely, there is a way to counter the "enable password encryption" command?
So frustrated at the moment and no matter what I do, I cannot login to the router.
So this is where I get stuck:
Welcome to network blah blah
password: *****
Router>en
password: ****
% bad secrets
so the above is where i get stuck as the old password that was working fine is not working after my mistake above.
Any help will be totally appreciated.
Thanks.
Nigel.
Totally new to the world of Cisco/CCNA and currently attending my Cisco Network Academy Stage 1 program. As I'm in the processing of doing my tests and particularly in Chapter 6, I have found that if I incorrectly enter the wrong command in
enable password encryption instead of
service password-encryption
I cannot login at the EXEC level anymore. This mean its screws up the "enable secret" password and won't let me in no matter what.
Is there any way to fix this without having to shut down the whole exam and start again? Surely, there is a way to counter the "enable password encryption" command?
So frustrated at the moment and no matter what I do, I cannot login to the router.
So this is where I get stuck:
Welcome to network blah blah
password: *****
Router>en
password: ****
% bad secrets
so the above is where i get stuck as the old password that was working fine is not working after my mistake above.
Any help will be totally appreciated.
Thanks.
Nigel.
Comments
-
OptionsPCHoldmann
Member Posts: 450
"enable password encryption" would set "encryption" as your enable password.
Service password-encryption is the correct command to enable the encryption of passwords stored in the configuration.There's no place like ^$
Visit me at Route, Switch, Blog -
OptionsNigelStorm
Registered Users Posts: 2 ■□□□□□□□□□
PCHoldmann wrote: »"enable password encryption" would set "encryption" as your enable password.
Service password-encryption is the correct command to enable the encryption of passwords stored in the configuration.
I knew that!! Shows you shouldn't do exams when you are dead tired..
Thank you so much mate! -
Optionsmagiclamp
Member Posts: 3 ■□□□□□□□□□
Adding some more explanation to PCHoldmann's reply.
"service password-encryption" is a weak reversible encryption. Better option is "enable secret", which stores password in MD5 hash format (irreversible). MD5 hashes are also vulnerable to password attacks. But the MD5 hash which is used in Cisco IOS is known as MD5 salt hash. MD5 salt hashes help to store different MD5 hashes of the same password in the running configuration.
For example, see the running configuration output of two routers configured with same enable secret "ToPSecReT" for enable EXE mode.
Router R1
R1#show running-config | section enable
enable secret 5 $1$h2ms$1bhvcZN5VjrU088su5t7h/
Router R2
R2#show running-config | section enable
enable secret 5 $1$8Pw6$rHgbz4j.SS6pfEYmFwP3Y/
We can see that both MD5 hashes (for the same enable secret) are entirely different. This provides much more security from password attacks.
Refer following links for more details.
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
http://www.omnisecu.com/ccna-security/strong-passwords-and-password-encryption-to-protect-management-plane.php