Using Better Password-Encryption Techniques

Problem

You want to assign a privileged password with a stronger encryption standard than Cisco’s trivial default encryption.

Solution

To enable strong, nonreversible encryption of the privileged password, use the enable secret configuration command:

Router1#configure terminal  
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#enable secret ORAbooks
Router1(config)#end
Router1#

Beginning with IOS Version 12.2(8)T, Cisco introduced strong encryption for its username command as well. To enable strong encryption for router usernames, use the username secret command:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#username ijbrown secret oreilly 
Router(config)#end
Router#

Discussion

Cisco introduced the enable secret password to improve the security of the enable password command. This command uses the cryptographically strong MD5 algorithm to encrypt passwords. It it extremely difficult to crack this algorithm. In fact, there are no known ways to uniquely reverse MD5 encryptions, which is why it is called a nonreversible algorithm.

When you configure the router with an enable secret password, it will encrypt your enable password whether you have the service password-encryption command or not. The service password-encryption command has no effect on the enable secret password.

Configuring a nonreversible enable password provides greater security than the traditional

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.