enable password vs enable secret vs service password-encryption

Even if you have passed the CCNA or higher certifications, there’s always something which still teases your mind and challenges your technical knowledge.

I am talking about password encryption in cisco routers. I did some research and investigated it myself.

From Official CiscoIOS Password Encryption Facts webpage:

“To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.”

Summary:

7 = type 7.weak encryption (reversible encryption)

5= type 5. strong encryption (MD5 one way hash encryption)

enable password = plain text enable password in configuration file (show running-config)

enable secret = encrypts enable password using the MD5 Hashing algorithm. Password is encrypted in configuration file (show running-config).

service password-encryption = encrypts password(s) using type 7.if you have already “enable secret” which is type 5 , service password encryption will not convert this password from type 5 to 7. enable secret does not get affected by service password-encryption.

According to Cisco, the ”enable password command should no longer be used”. Instead use the enable secret command.

From Official Cisco webpage:

“Enable secrets are hashed using the MD5 algorithm. As far as anyone at Cisco knows, it is impossible to recover an enable secret based on the contents of a configuration file (other than by obvious dictionary attacks).”