enable password encryption vs service password-encryption

NigelStormNigelStorm Registered Users Posts: 2 ■□□□□□□□□□
G'day guys,

Totally new to the world of Cisco/CCNA and currently attending my Cisco Network Academy Stage 1 program. As I'm in the processing of doing my tests and particularly in Chapter 6, I have found that if I incorrectly enter the wrong command in

enable password encryption instead of
service password-encryption

I cannot login at the EXEC level anymore. This mean its screws up the "enable secret" password and won't let me in no matter what.

Is there any way to fix this without having to shut down the whole exam and start again? Surely, there is a way to counter the "enable password encryption" command?

So frustrated at the moment and no matter what I do, I cannot login to the router.

So this is where I get stuck:

Welcome to network blah blah
password: *****
Router>en
password: ****
% bad secrets

so the above is where i get stuck as the old password that was working fine is not working after my mistake above.

Any help will be totally appreciated.

Thanks.
Nigel.

Comments

  • PCHoldmannPCHoldmann Member Posts: 450
    "enable password encryption" would set "encryption" as your enable password.

    Service password-encryption is the correct command to enable the encryption of passwords stored in the configuration.
    There's no place like ^$
    Visit me at Route, Switch, Blog
  • NigelStormNigelStorm Registered Users Posts: 2 ■□□□□□□□□□
    PCHoldmann wrote: »
    "enable password encryption" would set "encryption" as your enable password.

    Service password-encryption is the correct command to enable the encryption of passwords stored in the configuration.


    :) I knew that!! Shows you shouldn't do exams when you are dead tired..

    Thank you so much mate!
  • magiclampmagiclamp Member Posts: 3 ■□□□□□□□□□
    Adding some more explanation to PCHoldmann's reply.

    "service password-encryption" is a weak reversible encryption. Better option is "enable secret", which stores password in MD5 hash format (irreversible). MD5 hashes are also vulnerable to password attacks. But the MD5 hash which is used in Cisco IOS is known as MD5 salt hash. MD5 salt hashes help to store different MD5 hashes of the same password in the running configuration.

    For example, see the running configuration output of two routers configured with same enable secret "ToPSecReT" for enable EXE mode.

    Router R1

    R1#show running-config | section enable
    enable secret 5 $1$h2ms$1bhvcZN5VjrU088su5t7h/


    Router R2

    R2#show running-config | section enable
    enable secret 5 $1$8Pw6$rHgbz4j.SS6pfEYmFwP3Y/


    We can see that both MD5 hashes (for the same enable secret) are entirely different. This provides much more security from password attacks.

    Refer following links for more details.

    http://en.wikipedia.org/wiki/Salt_%28cryptography%29

    http://www.omnisecu.com/ccna-security/strong-passwords-and-password-encryption-to-protect-management-plane.php
Sign In or Register to comment.