By default a Cisco device does not have any passwords on it, so access to the console is open by default, and anyone connecting to the device is able to access privileged mode (enable mode). This of course is a security risk and one of the first things that should be done with a new device is to set the passwords for Telnet (VTY), Console, and Enable.
In this article I’m going to focus on the enable password and enable secret command and show some differences between them.
In order to configure the enable passwords we first need to be in global configuration mode, from there we can either issue the ‘enable password aoip’ command, where ‘aoip’ is our chosen password. Or we can enter the ‘enable secret aoip’ command. The big difference between the 2 commands is that enable password is not encrypted by default whereas the enable secret is.
If we do a ‘show run’ on our device after setting the password and secret we can see that the enable password, as well as the line vty and console passwords are all readable in clear text. In order for us to encrypt ALL passwords on the Cisco devices, we can issue the command ‘service password-encryption’ from global configuration mode.
Below is the live demo showing the ‘enable password’, ‘enable secret’ and ‘service password-encryption’ commands.