3.3 Important Cisco IOS Features
3.3.4 Password recovery

If at any time you forget the normal mode or enable passwords, you need to start a password recovery process. Password recovery on the Catalyst 4000/5000/6000 Series differs from the methods used on a Cisco router or on other models of switches.

You must be connected to the console port to perform the password recovery procedure. Password recovery requires a power cycle of the system by toggling the power switch. After you power cycle the switch, it goes through its initialization routines and eventually prompts you for a password to enter the normal mode. At this point, you have 30 seconds to perform password recovery.

The trick in password recovery on the switch lies in its behavior during the first 30 seconds after booting. When the switch first boots, it ignores the passwords in the configuration file. It uses the default password <ENTER> during this time. Therefore, when the Catalyst Switch prompts you for an existing password at any time, simply type <ENTER> and the Catalyst switch accepts your response. Immediately enter set password or set enablepass to change the appropriate password(s).

During the password recovery process, when the switch prompts for the new password, simply respond with <ENTER>. Otherwise, trying to type in new passwords sometimes forces you to reboot again, especially if you are a poor typist. By initially setting the password to the default value, you minimize the probability of entering a bad value. After setting the enable and EXEC passwords to the default, you can then go back and change the values without the pressure of completing the process during the 30-second time window provided for password recovery.

As with many security situations, it is extremely important that you consider physical security of your equipment. As demonstrated in the password recovery process, an attacker simply needs the ability to reboot the Catalyst switch and access to the console to get into the privileged mode. When in the privileged mode, the attacker can make any changes that he or she desires. Keep your wiring closets secured and minimize access to console ports.

Lab Activity
  In this lab activity, you will learn how to regain control of a  Cisco Catalyst 4000 Ethernet switch after you have lost the passwords.
Lab Activity 
  In this lab activity, you will learn how to regain control of a  Cisco Catalyst 2900 Ethernet switch after you have lost the passwords.