Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!
CCNA, CCNA Security, AND CCNP Exam Tutorial:
Secret Passwords, Not-So-Secret Passwords, And The "Over The Shoulder Network Attack"
(Now With A Three-Minute Video Tutorial!)
Chris Bryant, CCIE #12933
Passwords aren't just all over your CCNA, CCNA Security, and CCNP exams - they're all over your networks, too. (I hope!)
To help you master the different password types and commands available on Cisco routers and switches, here's a tutorial on this important topic. I've just posted one of our popular Three-Minute Video Tutorials that covers this topic as well - you'll find that at the beginning of the tutorial..
We have two options for configuring an enable mode password, as shown below by IOS Help.
Router1(config)#enable ?
password Assign the privileged level password
secret Assign the privileged level secret
Looking at the IOS Help readout, it looks like they do pretty much the same thing, and they do, with one big difference. To demonstrate, we'll first use the enable password command to set a password of CCENT.
Router1(config)#enable password CCENT
Now we'll go back to user exec mode, and then try to get back to enable mode.
Now we'll go back to user exec mode, and then try to get back to enable mode.
Router1#logout
Router1 con0 is now available
Press RETURN to get started.
Router1>enable
Password: < I entered CCENT here, which will not appear on the screen -- that's a Cisco router/switch default >
Router1#
After entering the enable command to get into enable mode, I was now prompted for a password. I entered CCENT (which was not shown on the screen as I typed it in), and I am now back in enable mode.
Let's take a quick look at the current router configuration with show running-config. The console and VTY line passwords will appear at the bottom of the config, but the enable passwords will appear near the top, so I'll show you only that part of the config in this section.
Router1# show running-config
Building configuration...
Current configuration : 1043 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router1
!
enable password CCENT
The enable password worked fine, but the password is appearing in clear text! That's not a very secure password. Anyone looking over your shoulder can see what the password is!
(The "over-the-shoulder network attack" isn't terribly sophisticated, but it can be effective.)
We do have a method of encrypting that password, along with the others in the configuration - but before we do that, let's use the enable secret command to set an enable password of CCNA and see what happens when we try to get back into enable mode.
Router1(config)#enable secret CCNA
I'll now enter a password of CCENT, the enable password, which worked just a few minutes ago.
Router1>enable
Password: < I entered CCENT here >
Password:
That isn't a typo, and you're not seeing double - I'm being prompted for a password a second time because the first one I entered was not correct. If CCENT wasn't right, will CCNA be?
Router1>enable
Password:
Router1#
Yes! When both the enable secret and enable password commands are in use, the password set with the enable secret command will always take precedence.
There's one little "gotcha" that catches CCNA candidates from time to time, so make sure this doesn't catch you. Let's take a look at the result of the enable secret command in the configuration:
enable secret 5 $1$oNGE$OYXryHhM7E3GIXcDdCAwF1
When you're prompted for an enable password, typing in that string of characters shown above will result in two things:
Insanity
A failed login
You can't enter the visual hash result of the enable secret command and expect to log in successfully - you have to know the non-hashed password and enter that.
And I know some of you are saying "I wouldn't go insane, I'd just cut and paste that string." Do NOT cut and paste passwords - it's way too easy to include a null space during that procedure, and then you'll drive yourself nuts trying to figure out what the problem is.
And that doesn't just go for Cisco routers and switches. Don't get into the habit of cutting and pasting passwords.
Okay, end of "Dad Lecture". :) Let's get back to our passwords...
By default, only the enable secret password will be encrypted in the running configuration. To encrypt all passwords in the running config, use the global command service password-encryption.
R3#conf t
R3(config)#service password-encryption
R3#show config
service password-encryption
!
line con 0
password 7 10692C2D3C3827392F27040A
login
line aux 0
line vty 0 4
password 7 14343B382F2B
login
!
Looks and sounds great, right! They're all encrypted and can never, ever be cracked or viewed.
Wrong, friend-o.
The encryption used by service password-encryption (Vigenere) is not as strong as the MD5 encryption used by the enable secret command.
And now that I've said that, let me say this - neither one of those encryption techniques is very strong at all.
Cisco's website says it best:
"The algorithm used by the service password-encryption command is a simple Vigenère cipher. The algorithm is not designed to protect configuration files against serious analysis by even slightly sophisticated attackers and must not be used for this purpose."
You can literally find programs that can crack that cipher in about 10 seconds. Or less. Again, it's a good idea to use that command to stop someone from looking over your shoulder and memorizing your passwords - and that has happened - but don't depend on this command for anything else.
