enable password vs enable secret vs service password-encryption

Even if you have passed the CCNA or higher certifications, there’s always something which still teases your mind and challenges your technical knowledge.

I am talking about password encryption in cisco routers. I did some research and investigated it myself.

“To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.

7 = type 7.weak encryption (reversible encryption)
5= type 5. strong encryption (MD5 one way hash encryption)

enable password = plain text enable password in configuration file (show running-config)

enable secret = encrypts enable password using the MD5 Hashing algorithm. Password is encrypted in configuration file (show running-config).

service password-encryption = encrypts password(s) using type 7.if you have already “enable secret” which is type 5 , service password encryption will not convert this password from type 5 to 7. enable secret does not get affected by service password-encryption.

According to Cisco, the enable password command should no longer be used”. Instead use the enable secret command.

“Enable secrets are hashed using the MD5 algorithm. As far as anyone at Cisco knows, it is impossible to recover an enable secret based on the contents of a configuration file (other than by obvious dictionary attacks).