Encrypted password for Local and enable

SathishkumarSaravanan0348 · ‎02-18-2020

Hello experts,

Could you please explain how to make the encrypted password for the local and enable authentication in Cisco IOS.

I have tried as many password but does not work and shows the below error:(I could understand I should not use the level 5, apart from this how we need to give an encrypted password)

R1(config)#username sathish privilege 15 secret 5 %$&*($&
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

R1(config)#username sathish privilege 15 password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password

Here if give 7 then the password will encrypt? If encrypt then what is the difference in adding the password and secret?

Thanks,

Sathish

Richard Burts · ‎02-18-2020

Sathish

There are 2 things to consider here. One is what kind of password do you want to create. The other is whether your input is in clear text or your input is already encrypted.

So what are the kinds of password? The older (and less secure) is called password and it can be stored as a clear text entry or as an encrypted text entry. If you create a traditional password in clear text you can use the command service password encryption to encrypt the entries. The newer (and more secure) is called secret and it is always stored as an encryptd text entry So there are two slightly different commands that you can use depending on which type of password you want to create:

username sathish privilege 15 password Cisco123

username sathish privilege 15 secret Cisco123

The other aspect is whether your input is clear text or is encrypted text. It may be easier to explain this by using an example. So let us assume that you are configuring your device and you use this command where you manually enter the password in clear text

username sathish privilege 15 secret Cisco123

when you do show run you would see

username sathish privilege 15 secret 5 <string_of_strange_characters>

where the string of strange characters is the encrypted version of Cisco123.

Now you want to configure another device and to create the local user sathish on that device. You could enter the original command or you could enter this command where using the 5 indicates that the following text is already encrypted

username sathish privilege 15 secret 5 <string_of_strange_characters>

and of course instead of manually typing this command you could just cut and paste from the config of the first device into the config of the second device. The key thing about using this version of the command is that you must already know the encrypted value of Cisco123.

HTH

Rick

SathishkumarSaravanan0348 · ‎02-18-2020

Hi Richard,

Thanks a lot for your clear explanation. I have used secret 5 for creating the login local. Just one query and hope you will help me out. I understand from your statement that if we use the password in clear text and enter service password encryption in global config, all we see the encrypted password in running config. My doubt is that if we use encrypted secret password, still it is better to use service password encryption in the device. Whether it is an best practice commands(whether encrypt pre share key(used in ikev1), ntp, smp key etc in running config?

Regards,
Sathish.

Muhammad Zahid · ‎02-19-2020

Enable Secret: hashes your enable password so that even if someone has access to the configuration and could copy / paste the code into a Cisco Password Cracker they still wouldn't be able to figure out what the correct password is.

Service password-encryption: This is used for encrypting all your passwords including VTY, NTP (PSK always show as encrypted in running-conf) so that they cannot be easily read by people watching you configure the switch over your shoulder. Now, you don't want to be passing around your configs to everyone because if they get the config and copy / paste the password, even with service password-encryption enabled, it will be easily crack-able in many websites. The more secure way is using enable secret.

- Muhammad Zahid

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Richard Burts · ‎02-19-2020

Sathish

Let me explain it from a different perspective and hopefully you will understand it better. The "password" approach was the earlier approach and is the default for IOS. This includes both the user password command and the enable password command. So if you use this command

username sathish privilege 15 password Cisco123

or this command

enable password Cisco456

you will create a password that is in clear text. And in show run you will see the clear text password by default. Cisco then provided the service password encryption command to store the password in an encrypted form. So if you are using the password approach it is safer to use service password encryption. Note that this command applies to user password and enable password but does not apply to passwords for ikev1 or ntp etc.

Cisco enhanced IOS by providing the "secret" approach to passwords. If you enter this command

username sathish privilege 15 secret Cisco123

or this command

enable secret Cisco456

then it will create passwords that are encrypted and will never be seen in clear text. I will also point out that the encryption used for secret passwords is a stronger and more secure than the encryption used for service password encryption. So if you are wanting a more secure approach you should use the secret approach to passwords. And if you are using the secret approach to passwords then there is no point in using service password encryption because it does not apply to secret type passwords.

HTH

Rick

Richard Burts · ‎02-19-2020

As I think about it I need to amend my explanation. What I described about the service password encryption was the behavior when it was introduced that it affected only user passwords and enable password. In later releases of the code service password encryption did affect some other types of keys.

HTH

Rick