Router Overview - Enable and Enable Secret Passwords
(Page 9 of 15 )
Once you get past the Line password, you are logged into the router’s IOS software environment. IOS is divided into two privilege levels, EXEC and Privileged EXEC (which is usually called enable mode).
The EXEC level contains only basic, nondestructive commands. Being in enable mode provides access to more commands. EXEC-level commands basically allow you to view a router. Enable mode commands are more powerful in that they let you reconfigure the router’s settings. These commands are potentially destructive commands, the erase command being a good example.
Two types of passwords can be used to restrict access to Privileged EXEC (enable mode): the Enable password and the Enable Secret password. The idea of a “secret password” seems silly at first. Ofcourseall passwords are secret, or at least they should be. What the Cisco engineers are alluding to here is the level of encryption used to mask the password from unauthorized users.
The Privileged EXEC Level of IOS Enable and Enable Secret passwords both do the same thing: they restrict access to Privileged EXEC (enable mode). The difference between the two is in the level of encryption supported. Encryptionis a technique used to scramble data, making it incomprehensible to those who don’t have a key to read it. Enable Secret passwords are scrambled using an advanced encryption algorithm based on 128 bits for which there is no known decoding technique. Encryption for the Enable password relies on a less powerful algorithm. Cisco strongly recommends using Enable Secret instead of the Enable password.
Enable Secret was introduced in 1997, so a fair amount of hardware and software that can support only Enable passwords is still in use, and servers storing backup IOS images frequently service both old and new routers. When both are set, the Enable Secret password always takes precedence over the Enable password. IOS will only put the Enable password to use when running an old version of IOS software.
IOS passwords are stored in the configuration file for a router. Configuration files routinely cross networks as routers are updated and backed up. Having an Enable Secret password means that a hacker using a protocol analyzer (a test device that can read packets) will have a tougher time decoding your password. The following sample configuration file illustrates this:
version 11.2
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$C/q2$ZhtujqzQIuJrRGqFwdwn71
enable password 7 0012000F
Note that the encryption mask of the Enable password on the last line is much shorter than the encryption mask of the Enable Secret password (on the second-to-last line).
The Service Password-Encryption Command Certain types of passwords, such as Line passwords, by default appear in clear text in the configuration file. You can use the service password-encryption command to make them more secure. Once this command is entered, each password configured is automatically encrypted and thus rendered illegible inside the configuration file (much as the Enable/Enable Secret passwords are). Securing Line passwords is doubly important in networks on which TFTP servers are used, because TFTP backup entails routinely moving config files across networks—and config files, of course, contain Line passwords.
 This chapter is from Cisco: A Beginner's Guide, by Velte and Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354). Check it out at your favorite bookstore today.
Buy this book now. |
Next: Router Hardware and Memory >>
More Networking Hardware Articles
More By McGraw-Hill/Osborne
/ 95 
