This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
32
Chapter 4
CHAPTER 4
Passwords and Privilege Levels
Passwords are the core of Cisco routers’ access control methods. Chapter 3
addressed basic access control and using passwords locally and from access control
servers. This chapter talks about how Cisco routers store passwords, how important
it is that the passwords chosen are strong passwords, and how to make sure that
your routers use the most secure methods for storing and handling passwords. It
then discusses privilege levels and how to implement them.
Password Encryption
Cisco routers have three methods of representing passwords in the configuration file.
From weakest to strongest, they include clear text, Vigenere encryption, and MD5
hash algorithm. Clear-text passwords are represented in human-readable format.
Both the Vigenere and MD5 encryption methods obscure passwords, but each has its
own strengths and weaknesses.
Vigenere Versus MD5
The main difference between Vigenere and MD5 is that Vigenere is reversible, while
MD5 is not. Being reversible makes it easier for an attacker to break the encryption
and obtain the passwords. Being unreversible means that an attacker must use much
slower brute force guessing attacks in an attempt to obtain the passwords.
Ideally, all router passwords would use strong MD5 encryption, but the way certain
protocols, such as CHAP and PAP, work, routers must be able to decode the origi-
nal password to perform authentication. This need to decode specific passwords
means that Cisco routers will continue to use reversible encryption for some pass-
words—at least until such authentication protocols are rewritten or replaced.
,ch04.23611 Page 32 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.

whether through shoulder surfing or off a backup server—can see the router pass-
words. We need a way to make sure that all passwords in the router configuration
file are encrypted.
service password-encryption
The first method of encryption that Cisco provides is through the command service
password-encryption. This command obscures all clear-text passwords in the configura-
tion using a Vigenere cipher. You enable this feature from global configuration mode.
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#^Z
Now a show run command no longer displays the password in humanly readable for-
mat.
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1
enable password 7 02030A5A46160E325F59060B01
,ch04.23611 Page 33 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
34
|
Chapter 4: Passwords and Privilege Levels
!
username jdoe password 7 09464A061C480713181F13253920
username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37
!
line con 0
exec-timeout 5 0
password 7 110A160B041D0709493A2A373B243A3017
login local
transport input none

service password-encryption
enable password 7 02030A5A46160E325F59060B01
,ch04.23611 Page 34 Friday, February 15, 2002 2:53 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Strong Passwords
|
35
However, as explained earlier, this uses the weak Vigenere cipher. Because of the
importance of the privileged-level password and the fact that it doesn’t need to be
reversible, Cisco added the enable secret command that uses strong MD5 encryption:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret my-secret-password
Router(config)#^Z
A show run now displays:
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1e
This type of encryption cannot be reversed. The only way to attack it is though brute
force methods.
You should always use the enable secret command instead of enable password. The
enable password command is provided only for backward compatibility. If both are
set, for example:
enable password 7 02030A5A46160E325F59060B01
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1e
the enable secret password takes precedence and the enable password command is
ignored.
Many organizations begin using the insecure enable password com-
mand, and then migrate to using the enable secret command. Often,
however, they use the same passwords for both the enable password
and enable secret commands. Using the same passwords defeats the

take to guess most words in the English language (or a word in any other language, if
the attacker included foreign language dictionaries). After four hours, the password
cracker has guessed the next three passwords as well. Any password based on a
word—English or foreign—is vulnerable to brute force attacks.
The last password looks random and was still not cracked when the password cracker
stopped running three days later. The problem is remembering a password like this
one. See the upcoming sidebar, “Choosing and Remembering Strong Passwords” for
tips on choosing an appropriate password.
Keeping Configuration Files Secure
Except for the enable secret password, all passwords stored on Cisco routers are
weakly encrypted. If someone were to get a copy of a router configuration file, it
would take only a few seconds to run it through a program to decode all weakly
encrypted passwords. The first protection is to keep the configuration files secured.
You should always have a backup of each router’s configuration file. You should prob-
ably have multiple backups. However, each of these backups must be kept in a secure
location. This means that they are not stored on a public server or on each network
administrator’s desktop. Additionally, backups of all routers are usually kept on the
same system. If this system is insecure, and an attacker can gain access, he has hit the
jackpot—the complete configuration of your entire network, all access list setups,
weak passwords, SNMP community strings, and so on. To avoid this problem, wher-
ever backup configuration files are kept, it is best to keep them encrypted. That way,
even if an attacker gains access to the backup files, they are useless.
Encryption on an insecure system, however, provides a false sense of security. If
attackers can break into the insecure system, they can set up a key logger and cap-
ture everything that is typed on that system. This includes the passwords to decrypt
the configuration files. In this case, an attacker just has to wait until the administra-
tor types in the password, and your encryption is compromised.
Another option is to make sure your backup configuration files don’t contain any
passwords. This requires that you remove the password from your backup configura-
tions manually or create scripts that strip out this information automatically.