Cisco Networking: Setting the Enable Password

By Edward Tetz from Cisco Networking All-in-One For Dummies

The enable password is used when you move from User EXEC mode to Privileged EXEC mode on a Cisco device. This condition gives you security on your switch because Privileged EXEC mode is where all the dangerous commands are, including Global Configuration mode. To set an enable password you would use the following command:

Switch1>enable
Switch1#configure terminal
Switch1(config)#enable password mypass

This command creates an enable password that is stored in the configuration file. To view this password, show your running configuration using the following command:

Switch1>enable
Password:
Switch1#show running-config | include enable password
enable password mypass

The problem with the enable password is that it is stored in plain text in the configuration file. Anyone with access to your configuration file can read your password without any trouble. Cisco’s solution to this problem was to create a new type of password called the secret password.

When you configure both an enable and a secret password, the secret password is the password that will be used to change from User EXEC mode to Privileged EXEC mode, instead of the weaker enable password. The following code sets both passwords for your switch:

Switch1>enable
Switch1#configure terminal
Switch1(config)#enable password mypass
Switch1(config)#enable secret mysecret

To see this in your configuration, use the following command:

Switch1>enable
Password:
Switch1#show running-config | include enable
enable secret 5 $1$BSX4$FZp.ZFvYSAGUEDn8dvr140
enable password mypass

Most encrypted passwords in your configuration file use a weak reversible encryption and will be identified by a 7 in the password line, whereas the secret password is encrypted with a one-way MD5 hash with a 5 denoted in the password line. You may also see a 0 that identifies it as an unencrypted password.