Password Security

There are four common places to use passwords in Cisco’s IOS. You can assign a password for console login, telnet login, an enable password and/or an enable secret password. In today’s security conscious world, a good password scheme is mandatory. To allow for easier reading and to not be confusing, the passwords I use in this article will be simple and not what should be considered strong passwords. Your passwords should be as lengthy as possible and use a combination of uppercase letters, lowercase letters and special characters such as !, @, #, $, % and *. Any printable character can be used. Ideally, each should be different from the other three.

In order to be able to telnet to the switch and make changes, we already set a password for telnet login and we set an enable secret password to let us in to EXEC mode. I mentioned that there was an ‘enable’ password and ‘enable secret’ password. You might be wondering “What’s the difference?” The difference lies in how the password is displayed when you type ‘show run’ and press return. Here’s how it currently looks:

Switch#show run
Building configuration...

Current configuration : 1371 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$HkRl$LkvWMGqhk2n5pvW7DSJzd.
!

You’ll notice that the enable secret password is encrypted so you can’t tell what it is. Let’s add a plain ole enable password and show the listing to see how it show’s under the same circumstances. After logging in I enter EXEC mode by typing in the current enable secret password then I enter global config mode:

Switch>enable
Password:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#


For the enable secret password I used ‘secure’. For the enable password I’ll use ‘notsosecure’. I’ll then exit out to EXEC mode and show the running config


Switch(config)#enable password notsosecure
Switch(config)#exit
Switch#show run
Building configuration...

Current configuration : 1399 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$HkRl$LkvWMGqhk2n5pvW7DSJzd.
enable password notsosecure
!
no aaa new-model
switch 1 provision ws-c3750-24ts
ip subnet-zero
!
!

See the difference? If someone were looking over your shoulder while you were verifying configuration information or you kept backup copies of your configuration files on a tftp server, the passwords would be exposed. Both the enable password and the enable secret password get you into EXEC mode but the enable secret password is by default encrypted so you can’t tell what it is when viewing the running config or the backup text file. Normally, only the enable secret password is used since both passwords get you into EXEC mode and because it’s encrypted.

We’ve already set the telnet login password, so for added security let’s add a console password. Since we’re already in EXEC mode we just enter global config mode, then enter the console interface config mode. The console port is referred to as ‘line con 0’.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line con 0
Switch(config-line)#

Just like the telnet configuration, we add a password by typing the command ‘password’ and the word we want to use as the password. Here I assign the word ‘switch’ for the console login password and enable password checking by typing login:

Switch(config-line)#password switch
Switch(config-line)#login
Switch(config-line)#exit
Switch(config)#exit
Switch#

To show all the passwords, I’ll show the running configuration by typing show run after backing out to EXEC mode. I’ve shortened the listing to just show the appropriate parts:

Switch#show run
Building configuration...

Current configuration : 1416 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$HkRl$LkvWMGqhk2n5pvW7DSJzd.
enable password notsosecure
!
no aaa new-model
switch 1 provision ws-c3750-24ts
ip subnet-zero
!

!
line con 0
password switch
login
line vty 0 4
password cisco
login
line vty 5 15
no login
!
end

Switch#


As you can see, the console and telnet passwords have been assigned but we have the same problem as we do with the enable password…you can SEE them! But that can be fixed. You’ll notice that near the top of the configuration file is the no service password-encryption command. This command was discussed in chapter 2, The Default Configuration. It disables password encryption. We can re-enable it simply by typing service password-encryption in global configuration mode. Let’s do that and then show the running config to see the difference.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#exit
Switch#show run
Building configuration...

Current configuration : 1447 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
enable secret 5 $1$HkRl$LkvWMGqhk2n5pvW7DSJzd.
enable password 7 151C0418172538212B262727
!
no aaa new-model
switch 1 provision ws-c3750-24ts
ip subnet-zero
!

!
line con 0
password 7 071C36455A0A11
login
line vty 0 4
password 7 02050D480809
login
line vty 5 15
no login
!
end

Switch#


Much better! All passwords are now encrypted when displayed and when saved in a text file. Let’s save our changes by typing copy run start at the EXEC mode prompt:

Switch# copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
Switch#