Configuring Router Passwords

At the beginning of this chapter we configured our initial passwords using the System Configuration Dialog. In both real-life and on the exams, however, you will need to know how to configure passwords from the command line. Remember that by default, a router will usually have no passwords associated with it (some models do ship with default factory passwords, usually cisco), so this is something that you’ll definitely want to change. There are 5 main passwords associated with a Cisco router. These include:

Enable password. The enable password is used to restrict access to privileged EXEC mode on a Cisco router. Recall that enable passwords are not encrypted, meaning that they can be read in plain text via the configuration files from privileged EXEC mode. The enable password was used by older IOS versions, but has been superceded by the enable secret password, which is encrypted.

Enable secret password. The enable secret password also provides access to privileged EXEC mode on a Cisco router, but is stored in encrypted form using the Message Digest 5 (MD5) algorithm. On any Cisco router beyond IOS version 10.3, the enable secret password should always be used. In fact, you should probably ignore the enable password completely in favor of enable secret password. Again, when both are configured, only the enable secret password can be used to access privileged mode.

Console password. A console password is used to restrict access to a router’s physical console port. If a password is not associated with the console port, anyone can walk up to the router, plug in a rollover cable and create a session, gaining access to at least user EXEC mode.

Auxiliary password. Much like the console port, a password can also be used to restrict access to the auxiliary port, which may be configured to allow access via an external modem. Whether you’re using it or not, it’s always a good idea to set a password on this port.

Telnet password. As mentioned earlier, a Cisco router allows telnet sessions via what it considers to be virtual terminals. On a Cisco router running Standard Edition IOS software, a maximum of 5 virtual terminals are provided, named vty 0 through 4. On Enterprise Edition IOS versions, the number of possible virtual terminals is much higher, depending upon the version and platform.

Although the enable secret password is the only one encrypted by default, any of the passwords above can be encrypted as required. We’ll explore this after we learn how to assign passwords to interfaces.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.