Password Security for Cisco IOS Devices

The use of password protection in any Cisco device is of paramount importance since passwords provide the first level of defence against unauthorised access to our Cisco networks. Especially on terminal lines (either console line or VTY lines), the use of passwords is a fundamental element of security.

The following techniques enable you to control who is allowed access to the router and what IOS privilege levels they are granted once they gain access:

password (line configuration): To specify a password on a line, use the password command in line configuration mode. A line is a console port (CTY), auxiliary port (AUX), virtual terminal (VTY), or asynchronous (TTY) line.

After specifying a password on a line using the password command, you must activate password checking at login using the login command in line configuration mode. The example below illustrates how to enable password security on each of the available lines. The password and login commands are widely available within IOS.

Router(config)# line con 0
Router(config-line)# password s3cr3t
Router(config-line)# login
Router(config-line)# line 1 8
Router(config-line)# password s3cr3t
Router(config-line)# login
Router(config-line)# line aux 0
Router(config-line)# password s3cr3t
Router(config-line)# login
Router(config-line)# line vty 0 4
Router(config-line)# password s3cr3t
Router(config-line)# login

username password: The password command described above specifies a password for a specific line. Using the configuration in the example above, any user that attempts to connect to a line must enter the configured line password to be granted user EXEC mode access. To establish local username-based password authentication, use the username command in global configuration mode. After specifying a username password, you must activate username-based password checking for the lines using the login local command in line configuration mode. The username command is widely available within IOS.

enable secret: To specify an additional layer of security use the enable secret command in global configuration mode. The enable secret command provides better security by storing the configured enable secret password using a nonreversible cryptographic hash function, compared to the enable password command, which stores the configured password in clear text or in an easily reversible encrypted format. Storing the password as a cryptographic hash helps to minimize the risk of password sniffing if the router configuration file is transferred across the network, such as to and from a TFTP server. It is also useful if an unauthorized user obtains a copy of your configuration file. Note, if neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console port, the console line password will serve as the enable password for all VTY lines, which includes Telnet, rlogin, and SSH connections. The enable secret command is widely available within IOS. Username passwords may also be stored in the router configuration file in cryptographic hash format, similar to the enable secret. The associated command is username secret.

service password-encryption: To encrypt local router passwords, use the service password-encryption command in global configuration mode. This command applies to line passwords, username passwords, enable passwords, and authentication key passwords, including routing authentication passwords and key strings. By default, IOS does not encrypt passwords. Encrypting passwords in this way helps to minimize the risk of password sniffing if the router configuration file is transferred across the network such as to and/or from a TFTP server. It is also useful if an unauthorized user obtains a copy of your configuration file. This command is widely available within IOS.