Back to Command Reference
Global ConfigDomain 1.0 / 5.0

enable secret [password]

Secures access to Privileged EXEC mode using a strongly encrypted password. This prevents unauthorized users who gain access to User EXEC mode from elevating their privileges and modifying the router's configuration.

Quick Reference

Execution ModeRouter(config)#
Encryption AlgorithmType 5 (MD5) or Type 9 (Scrypt)
Prerequisite ForVTY/SSH administrative elevation
Negation Commandno enable secret

CLI Deployment Scenarios

Scenario 1: Applying the Secret

You want to lock down the router so only senior admins can reach the `#` prompt.

Router(config)# enable secret Cisco123!
! When checking the running-config, the password is mathematically hashed:
Router# show running-config | include enable
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

CCNA Exam Gotchas

[!]

Enable Secret vs. Enable Password

The CCNA heavily tests the difference between enable secret and enable password.

enable password stores the text in plain, unencrypted text in the configuration file. It is deeply insecure.
enable secret hashes the password.
If an administrator configures both commands on the same router, the enable secret permanently overrides the enable password.