In this article I would like to spend some time explaining how the various passwords work on Cisco routers. We will start with the following two:
enable password
enable secret password
When would you use them?
No password:
Without either password you would be able to do the following:
Router>enable
Router#
Notice - no password was asked for! This is not good as the person can now access the router or switch fully.
Enable password:
The enable password forces a user to enter a password when going to privilege mode from user mode. This is an unencrypted password by default and it is not recommended that you use this password. It is much better to use the secret password.
To set an enable password of "cisco", do the following:
Router>enable
Router#configure terminal
Router(config)#enable password cisco
Router(config)#end
Once the password is set, the following will happen:
Router>enable
Password:
Router#
Notice - required to enter a password.
However, the problem is that the password is stored in clear text in the running config:
Router#sh run
Building configuration...!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption!
hostname Router!
boot-start-marker
boot-end-marker!
logging buffered 4096 debugging
enable password cisco
Notice - the password above is stored in clear text!
Not good. Please see my other articles on how to improve this. But this can still be cracked quite easily.
Enable secret:
The enable secret password also forces a user to enter a password when going to privilege mode from user mode. This is a MD5 encrypted password and is thus recommended rather than the enable password.
To set an enable secret of "cisco", do the following:
Router>enable
Router#configure terminal
Router(config)#enable secret cisco
Router(config)#end
Once the password is set, the following will happen:
Router>enable
Password:
Router#
Notice - required to enter a password.
This is much better - have a look at the following output of the show run to see why:
Router#sh run
Building configuration...!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption!
hostname Router!
boot-start-marker
boot-end-marker!
logging buffered 4096 debugging
enable secret 5 $1$4imO$abc5TVBQ7HnDqk8iu79t3.!
Notice - a much better and more secure password.
Conclusion
Enable secret passwords take precedence of enable passwords. It is recommended to never set them to the same password even though a router will allow you to do this. Better not to use the enable password - jsut use the enable secret password.
David BombalCCIE #11023, CCSI, CCDP, CCIP, CCNP, CCSP, CCVP, CCNA, CCDA
No comments:
Post a Comment