What are the two correct statements about enable secret and enable password command?

What are the two correct statements about enable secret and enable password command? (Choose two)
A. the enable password command has a strong encryption algorithm than enable secret
B. if both commands are missing from the global configuration, vty lines use the console password
C. the enable secret command is backwards compatible with more versions of IOS
D. the enable secret and enable password commands must be used together
E. the enable secret command overrides enable password

cisco-exams

6 thoughts on “What are the two correct statements about enable secret and enable password command?

  1. I agree with Anon. B and C

    If neither the enable password command or the enable secret command is configured, and if a line password is configured for the console, the console line password will serve as the enable password for all vty (Telnet and Secure Shell [SSH]) sessions.

    If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.

    After you set a password using the enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. Additionally, you cannot recover a lost password that has been encrypted by any method.

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html

    Can The Algorithm Be Changed?

    Cisco has no immediate plans to support a stronger encryption algorithm for Cisco IOS user passwords. If Cisco should decide to introduce such a feature in the future, that feature will definitely impose an additional administrative burden on users who choose to take advantage of it.

    It is not, in the general case, possible to switch user passwords over to the MD5-based algorithm used for enable secrets, because MD5 is a one-way hash, and the password can’t be recovered from the encrypted data at all. In order to support certain authentication protocols (notably CHAP), the system needs access to the clear text of user passwords, and therefore must store them using a reversible algorithm.

    Key management issues would make it a nontrivial task to switch over to a stronger reversible algorithm, such as DES. Although it would be easy to modify Cisco IOS to use DES to encrypt passwords, there would be no security advantage in doing so if all Cisco IOS systems used the same DES key. If different keys were used by different systems, an administrative burden would be introduced for all Cisco IOS network administrators, and portability of configuration files between systems would be damaged. Customer demand for stronger reversible password encryption has been small.

    https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html

  2. E is wrong, it doesnt overwrite it in the config. Its not using it, if ena secret is present, but it doesnt overrides it config-wise!

    B and C is correct for me.

    I used secret strings in different ios versions, never experienced that it didnt work, even if the self-generated encryption is different

    1. Anon, it doesn’t say “overwrite it in the config” it says “overrides it” and it 100% does. E is definitely right.

      C I think is wrong as I don’t recall it (enable secret) being an option say 20 years ago whereas enable password has always been there. In fact checking Bastex’s link confirms that enable password was introduced in IOS 10 and secret in IOS 11 so C is wrong. This link also confirms that B is in fact correct so your answer is:

      BE

  3. B and E

    “If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.”

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.