Command:

enable secret


Mode:

Router(config)#

Syntax:

enable secret [level level] {password | [encryption-type] encrypted-password}

no enable secret [level level]


Syntax Description:

level level

(Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.

password

Password for users to enter enable mode. This password should be different from the password created with the enable password command.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.


Command Description:

To specify an additional layer of security over the enable password command, use the enable secret global configuration command. Use the no form of this command to turn off the enable secret function.

Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.

Caution

If you specify an encryption-type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.



Note After you set a password using enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used. Additionally, you cannot recover a lost password that has been encrypted by any method.

If service password-encryption is set, the encrypted form of the
password you create here is displayed when a more nvram:startup-config
command is entered.

You can enable or disable password encryption with the service
password-encryption
command.

An enable password is defined as follows:

 
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.
Example:

The following example specifies the enable secret password of gobbledegook:

Router(config)#enable secret gobbledegook
 

After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.

Password: gobbledegook
 

The following example enables the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8, which has been copied from a router configuration file, for privilege level 2 using encryption type 5:

Router(config)#enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Misconceptions:
None

Related Commands:
enable password

� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)