«

I have a cisco 1601 router that I want to change the enable password
on. I know the current enable password. When I go into config t mode I
type in "enable password <the new password>". I exit with ctrl z and
write mem. When I logout and log back in I have to still use the old
password, the new one will not work. I am not sure what I am doing
wrong here. The only other thing is that I have the service
password-encryption turned on, could this be causing the problem and if
so what do I need to do to fix it. Any help or suggestions will be
appreciated.
Thanks
Glenn

gselser wrote:
> I have a cisco 1601 router that I want to change the enable password
> on. I know the current enable password. When I go into config t mode I
> type in "enable password <the new password>". I exit with ctrl z and
> write mem. When I logout and log back in I have to still use the old
> password, the new one will not work. I am not sure what I am doing
> wrong here. The only other thing is that I have the service
> password-encryption turned on, could this be causing the problem and if
> so what do I need to do to fix it. Any help or suggestions will be
> appreciated.
> Thanks
> Glenn

Is there also an "enable secret" command in the config?

If so try:-

conf t
no enable password
enable secret <the new password>

James

James wrote:
>> enable password <the new password>

> conf t
> no enable password
> enable secret <the new password>

I think the enable secret should be preferred because
its not easily decodable.

but forms have a number before the actual password (IIRC)

enable secret 0 <the_password_in_clear_text>

or

enable password 0 <the_password_in_clear_text>

Rainer

James wrote:
> gselser wrote:
> > I have a cisco 1601 router that I want to change the enable password
> > on. I know the current enable password. When I go into config t mode I
> > type in "enable password <the new password>". I exit with ctrl z and
> > write mem. When I logout and log back in I have to still use the old
> > password, the new one will not work. I am not sure what I am doing
> > wrong here. The only other thing is that I have the service
> > password-encryption turned on, could this be causing the problem and if
> > so what do I need to do to fix it. Any help or suggestions will be
> > appreciated.
> > Thanks
> > Glenn
>
> Is there also an "enable secret" command in the config?
>
> If so try:-
>
> conf t
> no enable password
> enable secret <the new password>
>
> James
Yes I think there is a enable secret password. What is the difference
between the enable and secret password or are they the same?
Also is it okay to keep the service password-encryption on?
Glenn

gselser wrote:

> James wrote:

> Yes I think there is a enable secret password. What is the difference
> between the enable and secret password or are they the same?

"enable secret" stores the password in a way that can not be decrypted.
It wins over "enable password" as method that allows access to privilege mode. So you were changing something that
wasn't used when authoriziting you to the privilege mode.

> Also is it okay to keep the service password-encryption on?

Yes of course, even if the encryption algorithm is very weak. Can be decrypted in few milliseconds.

HTH

Alex.

In article < .com>,
"gselser" <> wrote:

> Yes I think there is a enable secret password. What is the difference
> between the enable and secret password or are they the same?
> Also is it okay to keep the service password-encryption on?

enable password is stored either in clear or in a reversible
"encryption"[1] noted by a prefix of 7[2] if "service
password-encryption" is set. enable secret is stored as an MD5 hash
(prefix 5), which you might be able to reverse but it will take you some
effort.

If there's an enable secret the router will use it, if not it will fall
back to enable password. There used to be situations where you needed
both but I don't suppose there are many cases now.

Sam

[1] At one point Cisco used to refer to it as "obscured" rather than
"encrypted" - there are several trivial password decryptors around.

[2] A correspondent on a Cisco mailing list once asked why his password
didn't work - it turned out it began with the name of a well known soft
drink and even though password encryption wasn't set when the router
read the config it saw the initial "7 up" and tried to decrypt the rest
of the plain text password.

Thank you all very much. This is the faster group discussion I have
ever worked with.
You responses and solutions both solved the problem and were
informative
Thanks Again
Glenn
Sam Wilson wrote:
> In article < .com>,
> "gselser" <> wrote:
>
> > Yes I think there is a enable secret password. What is the difference
> > between the enable and secret password or are they the same?
> > Also is it okay to keep the service password-encryption on?
>
> enable password is stored either in clear or in a reversible
> "encryption"[1] noted by a prefix of 7[2] if "service
> password-encryption" is set. enable secret is stored as an MD5 hash
> (prefix 5), which you might be able to reverse but it will take you some
> effort.
>
> If there's an enable secret the router will use it, if not it will fall
> back to enable password. There used to be situations where you needed
> both but I don't suppose there are many cases now.
>
> Sam
>
> [1] At one point Cisco used to refer to it as "obscured" rather than
> "encrypted" - there are several trivial password decryptors around.
>
> [2] A correspondent on a Cisco mailing list once asked why his password
> didn't work - it turned out it began with the name of a well known soft
> drink and even though password encryption wasn't set when the router
> read the config it saw the initial "7 up" and tried to decrypt the rest
> of the plain text password.