3.5 Device Passwords Flashcards
Secure privileged exec access
Description:
The password that restricts access to privileged exec mode is the most important password that you will set. This can be accomplished using the enable secret global configuration command with the password variable.
Example:
Device> enable
Device# configure terminal
Device(config)# enable secret class
Device(config)# exit
Device# disable
Device> enable
Password: Password
Device>
Secure user exec access
Description:
The exec mode password controls the ability to switch to configuration modes. There are two passwords that can be used. The enable password is stored in clear text in the config file. The enable secret password is encrypted and stored in the config file. To secure user exec access, the console port needs to be configured properly.
Example:
Device(config)# line console 0
Device(config-line)# password cisco
Device(config-line)# login
Device(config-line)# exit
Device(config)#
Secure remote Telnet access
Description:
Virtual terminal (VTY) passwords control the ability to log onto the device using a virtual terminal connection. VTY provides remote access to the device. VTY lines should be secured. Most Cisco devices support up to 16 VTY lines. These lines are numbered 0 to 15.
Access to the console through a Telnet session is controlled by the login and the password entries. To prevent VTY access, there must be a login entry without a password set. Access is allowed based on the following conditions:
No login, no password. Access is allowed without a password.
Login, no password. Access is denied. The error message indicates that a password is required but none is set.
No login, password. Access is allowed without a password.
Login, password. Access is allowed only with the correct password.
Example:
Device(config)# line vty 0 15
Device(config-line)# password cisco
Device(config-line)# login
Device(config-line)# exit
Device(config)#
Router(config)# enable secret password
Sets the encrypted password used for privileged mode access. The enable secret should always be used if it exists.
Router(config)# enable password password
Sets the unencrypted password for privileged mode access. This password is used if enable secret is not set.
Router(config)# Line console interface
This global config command allows a user to enter console configuration mode. The zero identifies the console interface (usually there is only one.)
Router(config)# Line vty vty line [0-15]
This global config command allows a user to enter line VTY mode.
Router(config-line)# Login
VTY access can be enabled using the login command.
Router(config-line)# no enable secret
Router(config-line)# no enable password
Router(config-line)# no login
Router(config-line)# no password
Removes the password. The no login command disables password checking.
Service-password-encryption
It is important to note that the startup-config and running-config files show passwords in plain text. Because of this, you should encrypt your passwords using the global configuration service password-encryption command. This command provides a basic level of encryption to all unencrypted passwords within the config file. Note that these passwords are only lightly encrypted and can be easily broken. However, they do provide some level of security from someone looking over your shoulder. Rather than relying on this encryption, make sure to use the enable secret command for better encryption.
Password Requirements
Implement the following requirements for passwords.
- Do not use the same password for all
devices. - Do not use the same password for both
your enable and enable secret passwords. - Passwords should be more than 8
characters long - Common words should not be used in
passwords - Use a combination of letters, numbers,
and symbols
do show run
reveals passwords (does not show if passwords are encrypted)