Device Password Facts

The following table lists three of the most common passwords that you can configure on your device:

Password Type

Description

Console

Controls the ability to log on to the router through a console connection

VTY

Controls the ability to log on to the router using a virtual terminal (VTY) connection

EXEC mode

Controls the ability to switch to configuration modes. There are two different passwords that might be used:

  • The enable password is stored in clear text in the configuration file.
  • The enable secret password is stored encrypted in the configuration file.

Note: The router always uses the enable secret password if it exists.

Be aware of the following recommendations for configuring router passwords:

  • Passwords are case-sensitive.
  • For security reasons, you should not use the same password for both your enable and enable secret passwords.
  • You can set the enable, enable secret, and line passwords in setup mode.
  • Cisco routers support Terminal Access Controller Access Control System (TACACS) and Remote Authentication Dial-In User Service (RADIUS) to centrally validate users attempting to gain access to the router.

The following table summarizes basic password commands.

Use . . .

To . . .

 
Router(config)#enable secret <password>

Set the encrypted password used for privileged mode access. The enable secret is always used if it exists.

This command uses the Message-Digest 5 (MD5) hashing algorithm to encrypt the password.

 
Router(config)#enable password <password>

Set the unencrypted password for privileged mode access. This password is used if the enable secret is not set.

 
Router(config)#line con 0

Switch to the line configuration mode for the console.

 
Router(config)#line vty <0-197> <1-197>

Switch to the line configuration mode for the virtual terminal. Specify one line number or a range of line numbers, for example: line vty 0 4

 
Router(config-line)#password

Set the line password (for either console or VTY access).

 
Router(config-line)#login

Require the password for line access.

 
Router(config)#no enable secret
Router(config)#no enable password
Router(config-line)#no login
Router(config-line)#no password

Remove the password. The no login command disables password checking.

 
Router(config)#service password-encryption

Encrypt all passwords as a type 7 password. Encrypted type 7 passwords are not secure and can be easily broken; however, the encrypted values do provide some level of protection from someone looking over your shoulder after having issued the show run command. Rather than relying on this encryption, make sure to use the enable secret command for better encryption.

Note: If you do not use the login command in line mode, a password will not be required for access, even though one is set.

Access to the console through a Telnet session is controlled by the login and the password entries. To prevent VTY access, there must be a login entry without a password set. Access is allowed based on the following conditions:

  • no login, no password = access is allowed without a password
  • login, no password = access is denied (the error message indicates that a password is required but none is set)
  • no login, password = access is allowed without a password
  • login, password = access is allowed only with correct password

 

Credit: Testout 640-802 CCNA Notes