December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Using Better Password-Encryption Techniques
Problem
You want to assign a privileged password with a stronger encryption standard than Cisco’s trivial default encryption.
Solution
To enable strong, nonreversible encryption of the privileged password, use the enable secret configuration command:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#enable secretRouter1(config)#ORAbooksendRouter1#
Beginning with IOS Version 12.2(8)T, Cisco introduced strong encryption for its username command as well. To enable strong encryption for router usernames, use the username secret command:
Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#usernameijbrownsecretRouter(config)#oreillyendRouter#
Discussion
Cisco introduced the enable secret password to improve the security of the enable password command. This command uses the cryptographically strong MD5 algorithm to encrypt passwords. It it extremely difficult to crack this algorithm. In fact, there are no known ways to uniquely reverse MD5 encryptions, which is why it is called a nonreversible algorithm.
When you configure the router with an enable secret password, it will encrypt your enable password whether you have the service password-encryption command or not. The service password-encryption command has no effect on the enable secret password.
Configuring a nonreversible enable password provides greater security than the traditional