You want to assign a privileged password using a stronger encryption standard than Cisco's trivial default encryption.
To enable strong, nonreversible encryption of the privileged password, use the enable secret configuration command:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#enable secret ORAbooks
Router1(config)#end
Router1#
Cisco introduced enable secret to improve the security of the enable password command. This command uses the cryptographically strong MD5 algorithm to encrypt passwords. There are no known methods for reversing this algorithm. When you configure the router with an enable secret password, it encrypts your enable password whether you have the service password-encryption command or not. The service password-encryption command has no effect on the enable secret password.
Configuring a nonreversible enable password provides greater security than the traditional enable password command. It is useful in environments that store or transfer configuration files across the network. The enable secret password takes precedence over the enable password—if you have both types of enable passwords configured, the router uses only the secret version. We highly recommend using the enable secret password on all routers.
The following command shows what the enable secret command looks like in the router's configuration file:
Router1#show running-config | include secret
enable secret 5 $1$Ahxf$4OivEQn0n0JneSObfRdSw0
Router1#
The following is a list of enable secret password restrictions:
The password must contain between 1 and 25 alphanumeric characters (upper- or lowercase).
Leading spaces are ignored, while intermediate and trailing spaces are permitted and recognized.
You can use a question mark (?) in the password, but only if you precede the question mark with a Ctrl-V.
You should never use the same password for the enable password and enable secret commands. The router warns you against doing this, but will accept it:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#enable password cisco Router1(config)#enable secret cisco The enable secret you have chosen is the same as your enable password. This is not recommended. Re-enter the enable secret. Router1(config)#end Router1#
Setting the same password for both commands defeats the purpose of using the enable secret command in the first place by rendering its strong encryption useless. Avoid this problem by choosing a different password or removing the enable password altogether.
|
|
|
|
| Top |
