Using Better Password-Encryption Techniques

Using Better Password-Encryption Techniques

Problem

You want to assign a privileged password with a stronger encryption standard than Cisco's trivial default encryption.

Solution

To enable strong, nonreversible encryption of the privileged password, use the enable secret configuration command:

Router1#configure terminal  
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#enable secret ORAbooks
Router1(config)#end
Router1#

Beginning with IOS Version 12.2(8)T, Cisco introduced strong encryption for its username command as well. To enable strong encryption for router usernames, use the username secret command:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#username ijbrown secret oreilly
Router(config)#end
Router#

Discussion

Cisco introduced the enable secret password to improve the security of the enable password command. This command uses the cryptographically strong MD5 algorithm to encrypt passwords. It it extremely difficult to crack this algorithm. In fact, there are no known ways to uniquely reverse MD5 encryptions, which is why it is called a nonreversible algorithm.

When you configure the router with an enable secret password, it will encrypt your enable password whether you have the service password-encryption command or not. The service password-encryption command has no effect on the enable secret password.

Configuring a nonreversible enable password provides greater security than the traditional enable password command. It is useful in environments that store or transfer configuration files across the network. The enable secret password takes precedence over the enable password. So if you have both types of enable passwords configured, the router will only use the secret version. We highly recommend using the enable secret password on all routers.

The following command shows what the enable secret command looks like when you look at the router's configuration file:

Router1#show running-config | include secret
enable secret 5 $1$Ahxf$4OivEQn0n0JneSObfRdSw0
Router1#

The following is a list of enable secret password restrictions:

  • The password must contain between 1 and 25 alphanumeric characters (upper- or lowercase).

  • Leading spaces are ignored while intermediate and trailing spaces are permitted and recognized.

  • You can use a question mark, "?", in the password, but only if you precede the question mark with a "Control v" (the Ctrl key and the letter v key).

You should never use the same password for the enable password and enable secret commands. The router will warn you against doing this, but it will accept it:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#enable password cisco
Router1(config)#enable secret cisco
The enable secret you have chosen is the same as your enable password.
This is not recommended. Re-enter the enable secret.

Router1(config)#end
Router1#

Setting the same password for both commands defeats the purpose of using the enable secret command in the first place and renders its strong encryption useless. Avoid this problem by choosing a different password or removing the enable password altogether.

Cisco introduced the username secret command in Version 12.2(8)T to provide an added layer of security over the username password command. It provides greater security by using the same irreversible MD5 encryption as the enable secret command. However, because the password is not retrievable, some protocols that require clear test passwords, such as CHAP, will not work with the strong encryption.

Even strong encryption is vulnerable to dictionary and brute force attacks. To protect against such attacks, ensure that all of your passwords are difficult to guess and avoid using words found in the dictionary. For example, a common password-cracking program took less than a minute to find the password "cookbook11".


See Also