1

I'm figuring out the basics to CISCO Ios commands and I am struggling to find out the answer to the following question:

What would provide a better protection when you set up a password to allow privileged EXEC

  • enable password blahblah
  • service password-encryption

or

  • enable secret blahblah

What would be a better way to setup a password and encrypt it? And which one is using a better encryption?

Thanks, Dempsey

Dempsey FoxDie Van Assche
  • 157
  • 1
  • 5

2 Answers2

4

Heres the best way I can explain it:

  • enable password uses no encryption at all, so this is obviously not recommended.
  • enable secret uses MD5 to hash the password, so you do not have to worry about the enable password being stored in clear text. If your cisco device supports it, then use it.
  • service password-encryption encrypts all other passwords such as console and VTY, however it uses a weak and easily crackable encryption scheme and is really only effective against shoulder surfing. So if you issue a show running-conf command and somebody is behind you they won't be able to see the passwords in the output.

Bottom line, always use enable secret when possible, cleartext passwords are never a good thing.

Miguel
  • 301
  • 1
  • 5
2

The better way to setup a password and encrypt it in cisco device is using command enable secret password It uses MD5 algorithm or SHA 256 to hash the password.

The service password-encryption is weak, because:

service password-encryption allows you to encrypt all passwords 
on your router so they can not be easily guessed from your running-config. 
This command uses a very weak encryption because the router has to
be very quickly decode the passwords for its operation. It is meant to
prevent someone from looking over your shoulder and
seeing the password, that is all.

Hope this helps.

cuonglm
  • 2,386
  • 2
  • 16
  • 20