Passwords on IOS devices

IOS devices can be protected using different types of passwords, depending on the type of access. Each password you configure should be complex and unique. The following passwords can be used on an IOS device:

1. console password – by default, the console access does not require a password, so anyone with the phyical access to the device can acces the CLI. To configure a console password, use the following commands:

R1(config)line console 0 – enters the console port configuration mode.
R1(config-line)password cisco – sets up the password (cisco in this case).
R1(config-line)login – allows a remote access to a device.

After the console password has been set, users will be forced enter the password to access the device through the console port:

User Access Verification
Password:
R1#

2. telnet password – the telnet access to an IOS device is disabled by default. You can enable it and require a password for telnet access using the following set of commands:

R1(config)line vty 0 15 – IOS devices typically have 16 VTY lines. This means that 16 concurrent telnet or SSH sessions can be established. The first number represents the first VTY line, and the second number represents the last VTY line.
R1(config-line)password cisco
R1(config-line)login

After the telnet password has been set, users accessing devices using telnet will be forced to provide the password:

PC>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
 
User Access Verification
 
Password: 
R1>

3. aux password – many Cisco devices have an auxiliary (AUX) port that can be used for remote router management via modem. You can require users to enter the password before accessing the device this way:

R1(config)#line aux 0
R1(config-line)#password cisco
R1(config-line)#login

4. enable mode password – you can configure an IOS device to require a password before entering the enable mode. This can prevent an unauthorized user from entering the global configuration mode and changing the configuration of the device. The configured password will be stored in encypted form. Here is the command:

R1(config)enable secret verysecret

The user will be prompted to provide the password when trying to access the enable mode:

Router>en
Password: 
Router#

Encrypt passwords

Note that all passwords on an IOS device, with the exception of the enable secret password, are stored in clear-text in the configuration files:

R1#show running-config
.
.
.
 
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

You can use the service password-encryption global configuration command to encypt the passwords:

R1(config)#service password-encryption

Now, the passwords are stored in encrypted form:

R1#show running-config
.
.
.
!
line con 0
exec-timeout 0 0
privilege level 15
password 7 045802150C2E
logging synchronous
login
line aux 0
exec-timeout 0 0
privilege level 15
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
password 7 0822455D0A16
login
line vty 5 15
password 7 0822455D0A16
login
!
!
end

Note that the method of password encryption used with the service password-encryption command is not considered to be especially secure, since it can be easily cracked. You should use the service-password encryption command with additional security measures.

Geek University 2022