10.2 Basic Security
10.2.3 Basic password protection
Every Cisco device can be accessed in several different ways. Every method of accessing the device should have a password applied to prevent unauthorized access.

Out-of-band management options include the following:

  • Console 0
  • Auxiliary 0

In-band management options include the following:

  • Trivial File Transfer Protocol (TFTP) servers
  • Network-management software such as CiscoWorks 2000
  • Virtual terminal ports that are used for terminal access and are referred to as vty ports. There are five vty ports by default on each Cisco device. You can create more virtual terminal ports if you need to have more than five users accessing a device simultaneously.

The figure illustrates setting passwords on both a set command-based switch and a Cisco IOSŪ command-based switch.

When you first boot a switch, there will be no password assigned. In other words, the password is <ENTER> to enter both the EXEC and privilege modes. To change the enable password for privilege mode on a set command-based switch, issue the command set enablepass. The switch will immediately prompt you for the old password. In this case, the old password is simply to press the <ENTER> key. The switch will then prompt you to enter the new enable password; enter the desired password.  The switch will then prompt you to re-enter the password to confirm the password. The example also illustrates how to change the normal mode password using the set password command.

The login option on a Cisco IOS command-based switch indicates where to find the login information. If the login is specified without a keyword, as in the case of the console port, the system will use the line as the login. The user will be prompted for the password of the line itself (in this case, cisco). The other options indicate that the specific user must log in. The keyword after login indicates where to find the user information. The login local statement indicates that the information will be found locally in the username student password cisco statement. Other options include login authentication or login tacacs. These options indicate that the login information is contained on a centralized authentication server. Centralizing usernames, passwords, and profile information makes it easier to maintain a large number of users or devices.

It is recommended that users log in to the system with a username and password rather than having everyone use the password of the line. Having users log in to the device makes it easier to track down who is accessing the device and what changes they have made. By default, passwords are stored in cleartext format in the router configuration. The only exception to this is the enable secret password, which is automatically encrypted. Password encryption can be compromised, so it should be used in combination with other methods of security.