Cisco Router Passwords: Enable and Secret
Several types of passwords can be configured on a Cisco router, such as the enable password, the secret password for Telnet and SSH connections and the console port as well. All these password locations represent good access locations for passwords, but if you have only one password on only one access location, you should at least have an enable password.
The last several versions of the Cisco IOS for routers force you to set up passwords on the first boot if you have not already enabled passwords.
Setting the enable password
You use the enable password every time you move from User EXEC mode to Privileged EXEC mode. This password gives you security on your router, because Privileged EXEC mode is where all the dangerous commands are located, including access to Global Configuration mode. To set an enable password, use the following command:
Router2>enable Router2#configure terminal Router2(config)#enable password mypassword
This command creates an enable password that is stored in your configuration file. To view this password, show the running configuration using the following command:
Router2>enable Password: Router2#show running-config | include enable password enable password mypassword
You may immediately see the problem here. The password is stored in plain text in your configuration file, thus anyone who has access to your configuration file can easily read the password.
Setting the secret password
Cisco’s solution to the enable password’s inherent problem was to create a new type of password called the secret password. When you configure both an enable and a secret password, the secret password is the password that will be used to switch from User Exec mode to Priv Exec mode. The following code sets both passwords for your router:
Router2>enable Router2#configure terminal Router2(config)#enable password mypassword Router2(config)#enable secret mysecretpassword
To see your enable passwords in your configuration, use the following command:
Router2>enable Password: Router2#show running-config | include enable enable secret 5 $1$BSX4$FZp.ZFvYSAGUEDn8dvr140 enable password mypassword
Most encrypted passwords in your configuration file use a weak reversible encryption and are identified by a 7 in the password line, whereas the secret password is encrypted with a one-way MD5 hash with a 5 denoted in the password line. You may also see a 0, which identifies it as an unencrypted password.