Setting Basic Password Parameters

This section shows how to set up basic passwords and secrets on your router. You cannot create your own encrypted passwords and secrets. You must use encrypted passwords and secrets that the router generates.

Note: See Setting and Erasing Passwords for additional commands for erasing and monitoring passwords.

Creating Encrypted Passwords

This example encrypts password t1meout1 and creates a password for privilege level 10.

Enable and configure the password. The 0 keyword specifies that you are entering an unencrypted password.
host1(config)#enable password level 10 0 t1meout1

Display the encrypted password.

host1(config)#exit
host1#show secret
               Current Password Settings
               -------------------------
         encryption         encrypted
level       type         password/secret         mode
-----   ------------   --------------------   ----------
0
1
2
3
4
5
6
7
8
9
10      7 (password)   dq]XG`,%N"SS7d}o)_?Y   configured
11      7 (password)   dq]XG`,%N"SS7d}o)_?Y   inherited
12      7 (password)   dq]XG`,%N"SS7d}o)_?Y   inherited
13      7 (password)   dq]XG`,%N"SS7d}o)_?Y   inherited
14      7 (password)   dq]XG`,%N"SS7d}o)_?Y   inherited
15      7 (password)   dq]XG`,%N"SS7d}o)_?Y   inherited

You or users with high privilege levels can now use the encrypted password, dq]XG`,%N"SS7d}o)_?Y, with the password command.

Creating Secrets

This example generates a secret for the password rocket, and creates a secret for privilege level 15.

Enable and configure the secret. The 0 keyword specifies that you are entering an unencrypted secret.
host1(config)#enable secret level 15 0 rocket

Display the secret.

host1(config)#exit
host1#show secret
              Current Password Settings
              -------------------------
        encryption        encrypted
level      type        password/secret         mode
-----   ----------   --------------------   ----------
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15      5 (secret)   bcA";+1aeJD8)/[1ZDP6   configured

You or users with high privilege levels can now use the encrypted password, bcA";+1aeJD8)/[1ZDP6, with the password command.

Encrypting Passwords in Configuration File

You can also direct the system software to encrypt passwords saved in the configuration file by using the service password-encryption command. This command is useful to keep unauthorized individuals from viewing your password in your configuration file. It is important to remember that this command uses a simple cipher and is not intended to protect against serious analysis. You can tell if a string is encrypted if it is preceded by an 8.

Commands and Guidelines

Use the following commands and guidelines to set passwords or secrets for the privilege levels.

enable password

Use to set a password, which controls access to Privileged Exec mode and some configuration modes.
Enter the password in plain text (unencrypted) or cipher text (encrypted). In either case, the system stores the password as encrypted.
The first time you define a password, you must enter it in plain text. To view its encrypted form, use the show config display. To redefine the password at a later date, you can enter the password in its encrypted form.
You can use the following keywords:
- 0 (zero)—Specifies an unencrypted password
- 7—Specifies an encrypted password
Example 1 (unencrypted password)
host1(config)#enable password 0 mypassword
Example 2 (encrypted password)
host1(config)#enable password 7 x13_2
Use the no version to remove the password.
See enable password.

enable secret

Use to set a secret, which controls access to the Privileged Exec mode and some configuration modes.
Enter the secret in plain text (its unencrypted form) or cipher text (its encrypted form). In either case, the system stores the secret as encrypted.
The first time you define a secret, you must enter it in plain text. To view its encrypted form, use the show config display. To redefine the secret at a later date, you can enter the secret in its encrypted form.
You can use the following keywords:
- 0 (zero)—Specifies an unencrypted secret
- 5—Specifies an encrypted secret
Example 1 (unencrypted secret)
host1(config)#enable secret 0 yalta45
Example 2 (encrypted secret)
host1(config)#enable secret 5 y13_x
Use the no version to remove the secret.
See enable secret.

service password-encryption

Use to encrypt passwords that are saved in the system’s configuration file. The command converts plain text to cipher text. The default is no encryption.
Use of this command prevents casual observers from viewing passwords, for example, in data obtained from show config displays. The command is not intended to provide protection from serious analysis.
This command does not apply to passwords set with enable secret, enable password, or password (Line Configuration mode).
This command does apply to authentication key passwords and BGP neighbor passwords.
Example
host1(config)#service password-encryption
Use the no version to remove the encryption assignment.
See service password-encryption.