Securing Access to Privileged EXEC Mode
Once you get console access from the user EXEC mode, you can enter privileged EXEC mode and enjoy administrative privileges. Since no authentication is required by default, each user can access the privileged mode and configure the device. This can easily lead to a security breach, and that’s why you need to secure this access.
This can be achieved by configuring a password that the user must provide to access the privileged mode of the device. There are two different approaches that you can use to authenticate a user when providing a password.
The first option is configuring a simple password using the “enable password” command in global configuration mode, which saves the password in plaintext inside the running configuration. The other option is configuring a secret password using the “secret password” command.
The following example configuration creates simple and secret passwords on a Cisco IOS device:
When both simple and secret passwords are configured, the secret password always takes precedence over the enable password, and only this one is acceptable. It is recommended to use a secret password instead of a simple password.
The following output verifies both passwords in the running configuration:
As you can see in the output above, the simple password is shown in cleartext, while only an MD5 hash of the secret password is kept instead of the password itself.