enable secret [password]
Sets an encrypted password for privileged EXEC access, replacing the less secure 'enable password' command.
enable secret [password]When to Use This Command
- Securing remote management access to a router or switch by setting a strong, encrypted enable secret.
- Complying with security policies that require encrypted storage of privileged mode passwords.
- Configuring a backup enable password using 'enable password' while 'enable secret' takes precedence.
- Migrating from plaintext 'enable password' to encrypted 'enable secret' for enhanced security.
Command Examples
Setting a basic enable secret
enable secret MySecret123Router(config)# enable secret MySecret123 Router(config)#
The command sets the enable secret to 'MySecret123'. No output is shown; the password is stored encrypted in the running configuration.
Verifying enable secret in running config
do show running-config | include enable secretenable secret 5 $1$v0lY$Zx9cQpV6sG2kLmN8rT4bH.
The output shows the encrypted enable secret (type 5 hash). The '5' indicates MD5 encryption. The hash is the encrypted form of the password.
Understanding the Output
The 'enable secret' command itself produces no output upon successful configuration. To verify, use 'show running-config | include enable secret'. The output shows 'enable secret 5 <hash>', where '5' denotes MD5 encryption (Cisco type 5). The hash is a one-way encrypted string. If you see 'enable password' without encryption, that indicates a less secure configuration. Always ensure 'enable secret' is set and 'enable password' is not used alone. In production, the hash should be long and complex; a short hash may indicate a weak password.
CCNA Exam Tips
CCNA exam tip: 'enable secret' overrides 'enable password' if both are configured.
CCNA exam tip: The 'enable secret' uses MD5 hashing (type 5); newer IOS supports type 8/9 (SHA-256).
CCNA exam tip: If you forget the enable secret, you must perform password recovery via ROMmon mode.
CCNA exam tip: The 'service password-encryption' command does NOT affect 'enable secret' (it's already encrypted).
Common Mistakes
Mistake 1: Using 'enable password' instead of 'enable secret', leaving the password in plaintext in the config.
Mistake 2: Setting a weak or easily guessable password for the enable secret.
Mistake 3: Forgetting to save the configuration after setting the enable secret, losing it on reload.
Related Commands
enable password [password]
Sets a plaintext password for privileged EXEC access in global configuration mode, used when no enable secret is configured.
service password-encryption
Encrypts all plaintext passwords in the running configuration to prevent unauthorized viewing of password data.
show running-config
Displays the current active configuration in DRAM, showing all non-default settings.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions