Why should you use "enable secret" instead of "enable password"?

enable secret uses strong hashing (MD5/scrypt) while enable password uses plain text or weak encryption. "enable secret" stores the password using a strong one-way hash (MD5 Type 5 or scrypt Type 9), making it extremely difficult to reverse. "enable password" stores the password in plain text (Type 0) or easily reversible Type 7 encryption. If both are configured, enable secret takes priority.

Which AAA protocol encrypts the entire packet and is preferred for device administration?

TACACS+. TACACS+ (TCP port 49) encrypts the entire packet and separates authentication, authorization, and accounting, making it ideal for device administration where granular command authorization is needed. RADIUS only encrypts the password field and combines authentication with authorization.

What does the "service password-encryption" command do on a Cisco device?

Encrypts plain-text passwords in the running config with Type 7 (weak, reversible) encryption. "service password-encryption" converts Type 0 (plain-text) passwords in the running configuration to Type 7 encrypted passwords. Important: Type 7 is easily reversible — it is obfuscation, not true encryption. It prevents casual shoulder-surfing but does not protect against determined attackers. For strong password protection, use "enable secret" (Type 5/9).

Device Access Control and Password Policies

Securing access to network devices is a fundamental security requirement. The CCNA tests your ability to configure and verify device access controls.

Securing Passwords

Enable Secret vs. Enable Password

Command	Encryption	Strength
`enable password Cisco123`	Type 0 (plain text) or Type 7	Weak — avoid
`enable secret Cisco123`	Type 5 (MD5) or Type 9 (scrypt)	Strong — always use

Router(config)# enable secret StrongPassword123   ! Always use enable secret

If both are configured, enable secret takes priority.

Service Password-Encryption

Router(config)# service password-encryption

This command encrypts all plain-text passwords in the running configuration using Type 7 encryption. Type 7 is easily reversible (it's really just obfuscation, not true encryption), but it prevents casual shoulder-surfing.

Password Types on Cisco Devices

Type	Algorithm	Strength	Example
Type 0	Plain text	None	password Cisco123
Type 5	MD5 hash	Medium	$1$mERr$hx5...
Type 7	Vigenere cipher	Weak (reversible)	070C285F4D06
Type 8	PBKDF2-SHA-256	Strong	$8$dsYG...
Type 9	scrypt	Strongest	$9$nhEmQ...

Router(config)# username admin secret StrongPass  ! Creates Type 9 (scrypt) hash on newer IOS

Securing Console Access

Router(config)# line console 0
Router(config-line)# password ConsolePass123
Router(config-line)# login                           ! Enable password authentication
Router(config-line)# exec-timeout 5 0               ! Auto-logout after 5 minutes idle
Router(config-line)# logging synchronous             ! Prevent log messages from interrupting input

Securing VTY (Remote Access) Lines

Router(config)# line vty 0 15
Router(config-line)# transport input ssh             ! SSH only — blocks Telnet
Router(config-line)# login local                     ! Use local username database
Router(config-line)# exec-timeout 10 0              ! 10-minute idle timeout
Router(config-line)# access-class 10 in              ! Apply ACL to restrict source IPs

AAA (Authentication, Authorization, Accounting)

AAA provides centralized security management for network devices.

Component	Function	Example
Authentication	Verifies identity — "Who are you?"	Username/password, certificates, biometrics
Authorization	Determines permissions — "What can you do?"	Command authorization, privilege levels
Accounting	Records actions — "What did you do?"	Logging commands, session duration, bytes transferred

TACACS+ vs. RADIUS

Feature	TACACS+	RADIUS
Standard	Cisco-proprietary	Open standard (RFC 2865)
Protocol	TCP port 49	UDP ports 1812/1813
Encryption	Entire packet encrypted	Only password encrypted
AAA separation	Separates authentication, authorization, and accounting	Combines authentication and authorization
Command authorization	Yes (granular)	No
Best for	Device management (controlling who can run which commands)	Network access (802.1X, VPN, wireless)

On the Exam: TACACS+ is preferred for device administration (it separates AAA and encrypts the entire packet). RADIUS is preferred for network access control (802.1X, wireless). Know the port numbers and encryption differences.

Password Policy Best Practices

Practice	Implementation
Minimum length	At least 10 characters
Complexity	Mix of uppercase, lowercase, numbers, symbols
No reuse	Don't reuse recent passwords
Account lockout	Lock after 3-5 failed attempts
Privileged access	Use enable secret (Type 5/8/9), not enable password
Encrypt stored passwords	service password-encryption + Type 5/8/9
Centralized management	Use TACACS+/RADIUS instead of local passwords

Cisco Certified Network Associate

5.2 Device Access Control and Password Policies

Key Takeaways

Device Access Control and Password Policies

Securing Passwords

Enable Secret vs. Enable Password

Service Password-Encryption

Password Types on Cisco Devices

Securing Console Access

Securing VTY (Remote Access) Lines

AAA (Authentication, Authorization, Accounting)

TACACS+ vs. RADIUS

Password Policy Best Practices

Cisco Certified Network Associate

1Introduction

2Chapter 1: Network Fundamentals (20%)

3Chapter 2: Network Access (20%)

4Chapter 3: IP Connectivity (25%)

5Chapter 4: IP Services (10%)

6Chapter 5: Security Fundamentals (15%)

7Chapter 6: Automation and Programmability (10%)

5.2 Device Access Control and Password Policies

Key Takeaways

Device Access Control and Password Policies

Securing Passwords

Enable Secret vs. Enable Password

Service Password-Encryption

Password Types on Cisco Devices

Securing Console Access

Securing VTY (Remote Access) Lines

AAA (Authentication, Authorization, Accounting)

TACACS+ vs. RADIUS

Password Policy Best Practices