router’s configuration file. Figure lists password creation rules. When creating passwords for Cisco routers, always keep these rules in mind: You may want to add your own rules to this list, making your passwords even safer. One method of creating strong passwords is to use pass phrases. A passphrase is basically a sentence or phrase that serves as a more secure password. Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of your strong password or pass phrase. For example:
Content 5.5 Securing Cisco Router Administrative Access 5.5.2 Initial Password Configuration One way to perform initial router configuration tasks, including configuring a password, is to access the router console port as shown in Figure . A console is a terminal connected to a router console port. The terminal can be a dumb terminal or a PC with terminal emulation software. Consoles are only one of the ways to obtain administrative access to configure and manage routers. Other ways to gain administrative access include: Initial Configuration Dialog
If you are working on a new router or an existing router that has been reset (possibly using the Cisco password recovery procedure), the Cisco IOS CLI asks whether you want to enter the initial configuration dialog. Figure [2] shows a router configuration sample with this initial prompt. The first few questions in the initial configuration dialog pertain to these password requirements: The enable secret password allows you to enter enable mode (sometimes referred to as privileged mode or privileged-EXEC mode). You can set the enable secret password by entering a password during the initial configuration dialog, as shown in Figure , or by using the enable secret command in global configuration mode. The enable secret overrides the enable password that you configure with the enable password command. In other words, when enable secret is configured, you cannot access the privileged mode using the password that was configured with the enable password command. The enable secret command uses a one-way encryption hash based on Message Digest 5 (MD5) and is considered irreversible by most cryptographers. However, even this type of encryption is still vulnerable to brute force or dictionary attacks. If you forget the enable secret password, you have no alternative but to replace the password using the Cisco router password recovery procedure. The enable password command is a holdover from older versions of Cisco IOS software. By default, the enable password is not encrypted in the router configuration. Cisco decided to keep the older enable password command in later versions of Cisco IOS software even though enable secret password is a safer way to store privileged-EXEC passwords. The older command was kept in case the router is downgraded to a version of Cisco IOS software that did not support enable secret password. The enable password protects the privileged-EXEC mode. The virtual terminal password is the line-level password that you enter when you are connecting to the router using Telnet or SSH. You can set this password during the initial configuration dialog or by using the password command in vty line configuration mode. The virtual terminal password is not encrypted.
Content 5.5 Securing Cisco Router Administrative Access 5.5.3 Protecting Line Access To secure the router, you should protect the access through the console, auxiliary, and vty lines. Figure shows the command syntax for creating a password to secure this access. Console Port
By default, the Cisco router console ports allow a hard BREAK signal (within 60 seconds of a reboot) to interrupt the normal boot sequence and give the console user complete control of the router. This interruption is used for maintenance purposes, such as when running the Cisco router password recovery procedure. Even though this hard BREAK sequence is, by default, available to someone who has physical access to the router console port, it is still important to set a line-level password for users who might try to gain console access remotely. The hard BREAK sequence may be disabled using the no service password-recovery command. Note
If a router is configured with the no service password-recovery command, all access to the ROM Monitor (ROMMON) is disabled. By default, the console port does not require a password for console administrative access. However, you should always configure a console port line-level password. There are two ways to configure a console line password: You can enter the password during the initial configuration dialog, or you can use the password command in the console line configuration mode. vty Lines
Cisco routers support multiple Telnet sessions (up to five simultaneous sessions, by default—more can be added), each serviced by a logical vty. By default, Cisco routers do not have any line-level passwords configured for these vty lines. If you enable password checking, you must also configure a vty password before attempting to access the router using Telnet. If you fail to configure a vty password and password checking is enabled for vty, you will encounter an error message similar to the following: Telnet 10.0.1.2
Trying 10.0.1.2 ….. open

Password required, but none set

[Connection to 10.0.1.2 closed by foreign host] There are two ways to configure a vty password: You can enter the password during the initial configuration dialog, or you can use the password command in line vty configuration mode. The following are more things to consider when securing Telnet connections to a Cisco router: