Previous section   Next section

Recipe 3.3 Using Better Encryption Techniques

3.3.1 Problem

You want to assign a privileged password using a stronger encryption standard than Cisco's trivial default encryption.

3.3.2 Solution

To enable strong, nonreversible encryption of the privileged password, use the enable secret configuration command:

Router1#configure terminal  
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#enable secret ORAbooks
Router1(config)#end
Router1#

3.3.3 Discussion

Cisco introduced enable secret to improve the security of the enable password command. This command uses the cryptographically strong MD5 algorithm to encrypt passwords. There are no known methods for reversing this algorithm. When you configure the router with an enable secret password, it encrypts your enable password whether you have the service password-encryption command or not. The service password-encryption command has no effect on the enable secret password.

Configuring a nonreversible enable password provides greater security than the traditional enable password command. It is useful in environments that store or transfer configuration files across the network. The enable secret password takes precedence over the enable password�if you have both types of enable passwords configured, the router uses only the secret version. We highly recommend using the enable secret password on all routers.

The following command shows what the enable secret command looks like in the router's configuration file:

Router1#show running-config | include secret
enable secret 5 $1$Ahxf$4OivEQn0n0JneSObfRdSw0
Router1#

The following is a list of enable secret password restrictions:

You should never use the same password for the enable password and enable secret commands. The router warns you against doing this, but will accept it:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#enable password cisco
Router1(config)#enable secret cisco
The enable secret you have chosen is the same as your enable password.
This is not recommended.  Re-enter the enable secret.
   
Router1(config)#end
Router1#

Setting the same password for both commands defeats the purpose of using the enable secret command in the first place by rendering its strong encryption useless. Avoid this problem by choosing a different password or removing the enable password altogether.

Even strong encryption is vulnerable to dictionary and brute force attacks. To protect against such attacks, ensure that all of your passwords are difficult to guess. Always avoid using words found in the dictionary. For example, we used a common password-cracking program that took less than a minute to find the password "cookbook11."

3.3.4 See Also

Recipe 3.4; Recipe 3.22


  Previous section   Next section
Top