Passwords are the most critical tools in controlling access to a
router. There are two password protection schemes in Cisco IOS:
- Type 7 uses the Cisco-defined encryption algorithm, which is not as strong
as Type 5 encryption.
- Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type
5 encryption be used instead of Type 7 where possible. Type 7 encryption is
used by the enable password, username,
and line password commands.
To protect the privileged EXEC level as much as possible, do not use
the enable password command. Use the enable secret command.
Even if the enable secret is set, do not set the
enable password because it will not be used and may give
away a system password
.
No user
account should be created above privilege level 1 since it is not possible to
use Type 5 encryption on the default EXEC login or the
username command. User accounts should be created for
auditing purposes. The username command should be used to
create individual user accounts at the EXEC level and then the higher privilege
levels should be protected with the enable secret password.
Users with a need to work at higher levels would be given the higher privilege
level password.
If the login command is used to
protect a line, then the password command is the only way
to set a password on a line. But if the login local command
is used to protect a line then the specified user name and password pair is
used. For access and logging reasons use the login local
command.
The privileged EXEC secret password should not match any other
user password. Do not set any user or line password to the same value as any
enable secret password.
The service
password-encryption command will keep passersby from reading
passwords that are displayed on the screen. Be aware that there are some secret
values that service password-encryption does not protect
. Never
set any of these secret values to the same string as any other password.
Good password practices include the following:
- Avoid dictionary words, names, phone numbers, and dates.
- Include at least one lowercase letter, uppercase letter, digit, and special
character.
- Make all passwords at least eight characters long.
- Avoid more than four digits or same-case letters in a row.
Cisco IOS Software Release 12.3(1) and greater allow administrators to
set the minimum character length for all router passwords using the
security passwords global configuration command, as shown
in the figure. This command provides enhanced security access to the router by
allowing you to specify a minimum password length, eliminating common passwords
that are prevalent on most networks, such as "lab" and
"cisco." This command affects user passwords, enable passwords and
secrets, and line passwords created after the command was executed (existing
router passwords remain unaffected).
The syntax for the security passwords command is shown
in Figure
.
By
default, Cisco IOS routers allow a break sequence during power up, forcing the
router into ROMMON mode. Once the router is in ROMMON mode, anyone can choose
to enter a new enable secret password using the well-known Cisco password
recovery procedure. This procedure, if performed correctly, leaves the router
configuration intact. This scenario presents a potential security breach in
that anyone who gains physical access to the router console port can enter
ROMMON, reset the enable secret password, and discover the router
configuration.
This potential security breach can be mitigated using the
no service password-recovery global configuration command,
as shown in the Figure
.
 |
NOTE:
The no service password-recovery command is a
hidden Cisco IOS command, and is not visible in the ?
output.
|
If a router is configured with no service
password-recovery, all access to the ROMMON is disabled. If the
router’s flash memory does not contain a valid Cisco IOS image, you will not be
able to use the ROMMON XMODEM command to load a new Flash image. In order to
repair the router, you must obtain a new Cisco IOS image on a Flash SIMM, or on
a PCMCIA card (3600 only). See Cisco.com for more information regarding backup
Flash images.