Cisco Networking: Setting the Enable Password
The enable password is used when you move from User EXEC mode to Privileged EXEC mode on a Cisco device. This condition gives you security on your switch because Privileged EXEC mode is where all the dangerous commands are, including Global Configuration mode. To set an enable password you would use the following command:
Switch1>enable Switch1#configure terminal Switch1(config)#enable password mypass
This command creates an enable password that is stored in the configuration file. To view this password, show your running configuration using the following command:
Switch1>enable Password: Switch1#show running-config | include enable password enable password mypass
The problem with the enable password is that it is stored in plain text in the configuration file. Anyone with access to your configuration file can read your password without any trouble. Cisco’s solution to this problem was to create a new type of password called the secret password.
When you configure both an enable and a secret password, the secret password is the password that will be used to change from User EXEC mode to Privileged EXEC mode, instead of the weaker enable password. The following code sets both passwords for your switch:
Switch1>enable Switch1#configure terminal Switch1(config)#enable password mypass Switch1(config)#enable secret mysecret
To see this in your configuration, use the following command:
Switch1>enable Password: Switch1#show running-config | include enable enable secret 5 $1$BSX4$FZp.ZFvYSAGUEDn8dvr140 enable password mypass
Most encrypted passwords in your configuration file use a weak reversible encryption and will be identified by a 7 in the password line, whereas the secret password is encrypted with a one-way MD5 hash with a 5 denoted in the password line. You may also see a 0 that identifies it as an unencrypted password.