One of the many skills that you must demonstrate as a CCENT candidate is your ability to configure basic password security on a Cisco router or switch. This blog post walks you through the configurations you must have mastered in order to succeed in this area of the exam.

While I will demonstrate the configurations required on a Cisco router, keep in mind that they are going to be identical on the model of switch you are presented with in the exam.

First, let us enter user mode on the router, and then enter global configuration mode to set our first password.

Press RETURN to get started!
Router> enable
Router# configure terminal

The first password we will set is the enable password. This is for backwards compatibility if you ever need to copy this configuration to a system that does not support password encryption. Since our router does support password encryption, note that you will never actually use this password on the device. Again, it is there for sheer backwards compatibility.

Router(config)# enable password S0ftBa11

Now that we have taken care of that, it is time to set the encrypted version of the enable password. It is the job of this password to protect Privileged mode on the device. Remember, Privileged mode allows us to make configuration changes to the device.

Router(config)# enable secret SanFr@n

What about protecting User mode, the mode that you enter from the console port before you enter Privileged mode? You can do this by setting a password on the Console Line. When setting a password on any of the lines on the router, you need to also use the login command. This command instructs the router or switch to check the locally configured password upon login.

Router(config)# line con 0
Router(config-line)# password V011eyBa11
Router(config-line)# login

Here is an example of setting the password for the default Telnet lines available on the Cisco device:

Router(config-line)# line vty 0 4
Router(config-line)# password T3nn1sBa11
Router(config-line)# login

Great. So pretty darn easy. Except there is one slight problem. The enable secret password does have a weak encryption used so that it is not readable to the naked eye when viewing the configuration, but all the other passwords above will not feature any encryption at all by default. Here is proof:

Router#show running-config
Building configuration...
Current configuration : 772 bytes
enable secret 5 $1$3cho$p9t1k6BeP8iGFYtoY1kNS.
line con 0
 password V011eyBa11

This is solved through the use of the handy service password-encryption command. This command places a weak encryption on the clear-text passwords in your configurations follows:

Router(config)#service password-encryption
Router#show running-config
Building configuration...
Current configuration : 772 bytes
enable secret 5 $1$3cho$p9t1k6BeP8iGFYtoY1kNS.
line con 0
 password 7 113F49544641122E057B7A

Which is stronger security? The MD5 hashing of the password done with the enable secret password, or the Cisco invention of password-encryption hashing? Well, you can see with your own eyes that it is the MD5 enable secret. Notice that it produces a longer string of characters, and even uses special characters in the hash.

You should also be aware of the fact that if you turn off this feature with the command no service password-encryption, you will not hash future passwords, but you will also not undo the hashing you have already done.

As always, thanks for reading, and enjoy your studies. If you have questions regarding this post, do not forget about our incredible forums at http://ieoc.com.

You can leave a response, or trackback from your own site.

11 Responses to “CCENT: Providing Basic Password Security for a Cisco Router or Switch”

  1. Cisco Guy says:

    Nice basic tutorial post. Another enhancement for protecting your Telnet VTY lines is to apply an access-class on the VTY which will allow only a specific management host to connect.

    Router(config)# line vty 0 4
    Router(config-line)# access-class 100 in
    Router(config)# access-list 100 permit tcp host any eq telnet

    The above will protect you also from a Denial of Service attack where an attacker can attempt several simultaneous telnet connections to the router or switch, thus occupying all available VTY lines and prohibiting the legitimate administrators for managing the device.

  2. [...] CCENT: Providing Basic Password Security for a Cisco Router or … [...]

  3. Jonathan says:

    Hey are u guys offering any classes for the CCENT/CCNA? I have someone who has interest in receiving some training but I don’t see on the website if you guys offer this.



  4. Hi Jonathan!

    It is on the way! We are releasing Self Paced, Live Classroom, Hands on Labs, and Practice Exams in Feb of this year (2009)!

  5. Jonathan says:

    Sweet I will be looking out for this. Thanks.


  6. Ben says:

    Use of ‘enable password’ is very poor practice. “Backwards compatibility” means “backwards security” – if your device supports ‘enable secret’ then you should NOT add an additional, superfluous password that will never be used – except perhaps maliciously as a hint to the ‘secret’ password, or to confuse anyone who doesn’t know the difference between the two commands. The number of times I’ve seen people add the *same* password for both “just in case” (really: because they were trained to) is amazing…

    Also, the strength of the MD5 hash has nothing to do with “special characters”, or even that it is longer that the Cisco hash. The reason the ‘secret’ is stronger is that it is not reversible, unlike the ‘password’ which is by design (e.g. for CHAP). The ‘secret’ is in Modular Crypt Format (http://leaf.dragonflybsd.org/cgi/web-man?command=crypt&section=3), where the ‘$’ symbols separate the type,salt and hash parts. The ‘$’ is not a part of the hash itself, which is only characters from “./0-9A-Za-z”. And incidentally, string length is a pretty poor method evaluation of a hash, as is “it looks more complex…”.

  7. Hi Ben!

    Thanks for contributing to our blog site. You remind me to go beyond the exam with these posts and give some real world as well. So often our focus is ensuring the students are equipped to pass the exam with ease that we forget to mention things like “we do not need the enable password today!”

    I am also amazed at the number of times you have seen the same password used for the enable and enable secret since the router will not accept it. :-) I presume you put SAME in asterisks because you did not truly mean the SAME.

    Excellent clarification on why the MD5 is stronger than the encryption on the service password-encryption command. Thanks again.

  8. Nick says:

    I agree with the sentiment that Cisco should be going to great lengths to provide a clear MODEL for securing their network devices – and promoting this from the start!

    A Security Model is an IT industry standard method for promoting the right way to go about securing something. Cisco only seems to get into a security model approach later on, in CCNP (perhaps even above).

    The course notes should promote username/password, aaa and secret methods for securing devices, while explaining things like line passwords and the rare times the password may be required.

    Common sense in any security field is to LOCK it all down as HARD as you can UNTIL IT STARTS COSTING YOU. Then you’ll need to determine if the additional lockdown is worth the additional effort and hassle (risk analysis).

  9. Hi Nick,

    There is a model for automating this, it’s called the “autosecure” feature. For admins that are not clear as to what the common vulnerabilities and services of IOS, this feature is very useful. However, there is no *mandatory* implementation of this, because there are many situations where it is key to selectively enable/disable features manually so there are no surprises in the operation of the device.

    You can find more info on autosecure here:


    Thanks for your comment!

  10. Ronald says:

    Caller route is a feature that allows segregation and routing of inbound calls to 0800 Numbers, 0845 Numbers or 0844 Numbers based on their origin. It works very similar to Time and Date routing that allows inbound calls to be routed to different destinations based on time and date. Caller route identifies different numbers or numbers from different regions and routes it to specific destinations as programmed by owner.

    When you have your customers in two different countries say UK and US. You can create two different teams to server customers from each country. To facilitate this you need segregate all inbound calls from the two regions and route it to specific teams. This can be achieved easily with Caller route feature.

    If you want to deal with your VIP customers or important clients directly instead of letting your staff because they are your key clients and you do not want anyone to spoil business with them in any way. You can use Caller Routes to specify the telephone numbers of VIP customers. Instantaneously all inbound calls from those numbers will reach you and balance calls from other numbers will be routed to your staff through Hunt Group or any other feature that you use.

    Caller route is the best tool to segregate calls from important customers and handle their calls personally.

  11. Geraldo Castellanoz says:

    Great read. Very useful. Thanks, keep up the great site!


Leave a Reply


CCIE Bloggers