Setting the enable password and secret on a Cisco device
The enable password and enable secret are used to restrict access to privileged EXEC mode (also known as enable mode) on Cisco devices. Let's explore the differences between them and how to configure each.
The difference between enable password and enable secret
Both the enable password and enable secret serve the same purpose - they restrict access to privileged EXEC mode. However, there are some important differences:
- Enable password: Stored in plain text in the configuration file
- Enable secret: Stored as an encrypted hash in the configuration file
If both are configured on the same device, the enable secret takes precedence and the enable password is ignored.
Configuring the enable password
To set an enable password, use the following command in global configuration mode:
Router(config)# enable password cisco123This sets "cisco123" as the enable password. When viewing the configuration, you'll see it stored in plain text:
enable password cisco123Configuring the enable secret
To set an enable secret, use the following command in global configuration mode:
Router(config)# enable secret cisco456This sets "cisco456" as the enable secret. When viewing the configuration, you'll see it stored as an encrypted hash:
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0Security considerations
Since the enable password is stored in plain text, it poses a significant security risk. Anyone with access to the configuration file can easily read the password. The enable secret, being encrypted, provides much better security.
Best practice: Always use the enable secret instead of the enable password for security reasons.
Video demonstration
The video above demonstrates the configuration of both enable password and enable secret on a Cisco device, showing the differences in how they appear in the configuration.
Removing the enable password or secret
To remove either password, use the no form of the command:
Router(config)# no enable password
Router(config)# no enable secretRemember that removing all enable authentication will leave your device without password protection for privileged mode, which is a serious security concern.