Open In App

What are Different Types of Passwords used in Securing Cisco Router?

Improve
Improve
Like Article
Like
Save
Share
Report

Passwords are an essential part of the cisco router access control methods. These are used to restrict access to a CISCO router; As there is no automatic or default password defense that comes with the routers, different types of passwords are used, such as the Console password used for setting up the console port password, Aux Passwords for setting up a password for the auxiliary port, the secret password for SSH and Telnet connections and the console port as well, the enable password or the Vty password used for Telnet or SSH session in a router. Furthermore, privileged EXEC mode can be set on passwords.

Types of passwords :
There are five main types of passwords:

  1. Console Password
  2. Aux or Auxiliary Password
  3. Enable Password
  4. Enable Secret Password
  5. VTY password

These are explained as following below.

1. Console Password :
It is used to set the console port password, if no password has been set on the router’s console, by default, the user can use the access user mode. The real encryption process ensues when a password is configured or the existing configuration is written. It is crucial to set a console port password as it defends against someone from connecting, physically moving up to the router, or gaining access to user mode, and much more. As the routers have only one console port, the user needs to use the command line console 0 in the global config mode.

Router1# config t
Router1(config)# line console 0
Router1(config-line)# password MkcbDtGfRblw3#$577DF
Router1(config-line)# login
Router1(config-line)#exit

2. Aux or Auxiliary Passwords :
The Aux password is used for setting up a password for the auxiliary port, which is a physical access port on the router. An Auxiliary port is used for accessing a router over a modem.  Though, this port is not present on all the routers.  

Router1# config t
Router1(config)# line aux 0
Router1(config-line)# password MkcbDtGfRblw3#$577DF
Router1(config-line)# login
Router1(config-line)# end

3. Enable Password :
Enable password is a global command that limits access to the privileged exec mode. These passwords are not encrypted. These are generally used for changing the security level (From level 0 – level 15) on the router. Though, usually, it is used for moving from user mode to the privileged mode.

Router1# config t
Router1(config)# enable password MkcbDtGfRblw3#$577DF
Router1(config)# exit  

4. Enable Secret Password :
It has the same functionality as the enabled password, Though the passwords are stored in a much more secure encrypted form. It assigns one-way encrypted secret passwords available in version 10.3 and newer versions.

Router1(config)# enable secret MkcbDtGfRblw3#$577DF

5. Vty password :
Vty is used for Telnet or SSH session in a router. Vty password can be set up at the time of configuring the router from the console. These passwords can be changed at any time by the user. There can be one password for all vtys or there could be different passwords corresponding to each virtual terminal (i.e., vty0 – vty4).

Router1# config t
Router1(config)# line vty 0 4
Router1(config-line)# password MkcbDtGfRblw3#$577DF
Router1(config-line)# login

For Example, encrypting all text passwords through service password-encryption command:

Router1#show run
Building configuration...Current configuration:
976 bytes version 12.4 no service timestamps log datetime msec
no service timestamps debug datetime msec no service password-encryption!
hostname Router1
enable secret 5 $5$eWMd$Qxl6RCoPutSnLoBaR047N/
enable password dSFsvr433
username smdh password 0 dSFsvr43345
username btcan password 0 linux
username mtcan secret 5 $5$eWMd$Qxl6RCoPutSnLoBaafdefR047Ncs
username mmlel password 0 68445
interface FastEthernet0/0
ip address 1.0.0.1 255.0.0.0
duplex auto speed
auto!
Interface FastEthernet0/1
ip address 2.0.0.1 255.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 2.0.0.2
password mmlel684
Login
line aux 0
password 684
login
!line vty 0 4
login local

Now, Running the service password-encryption command

Router1# config t
Router1(config)# service password-encryption

Now checking status after running the password-encryption command.

Router1#show run
Building configuration...Current configuration: 926 bytes
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
hostname Router1
enable secret 5 $5$eWMd$Qxl6RCoPutSnLoBaR047N/
enable password 7 54893F4571269843
username smdh password 7 54893F457126984365E
username btcan password 7 548D93F457C12
username mtcan secret 5 $5$eWMd$Qxl6RCoPutSnLoBaafdefR047Ncs
username mmlel password 7 59531E1D5D8C
interface FastEthernet0/0
ip address 1.0.0.1 255.0.0.0 duplex auto
speed auto
!interface FastEthernet0/1
ip address 2.0.0.1 255.0.0.0
duplex auto
speed auto
ip classless
ip route 0.0.0.0 0.0.0.0 2.0.0.2
line con 0
password 7 01863D9A110A0D494078
login
line aux 0
password 7 02803W1F
login
line vty 0 4
login local

Now configure telnet with password protection.

Router1(config)# username mmlel password 68445
Router1(config)# username smdh password dSFsvr43345
Router1(config)#line vty 0 4
Router1(config-line)# login local
Router1(config-line)# exit

Tips :

  • The user should use service password encryption on all the routers.
  • Users should make sure that passwords are strong.
  • All routers should have distinct passwords.
  • The router should always be accessed from a secure system.

Last Updated : 23 Nov, 2021
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads