Chabot College

CISCO NETWORKING ACADEMYCISCO NETWORKING ACADEMY

Chabot CollegeChabot College

ELEC 99.08ELEC 99.08router passwords


passwordspasswords• enable• enable secret• console• aux• vty (telnet sessions)


enable passwordenable password• controls access to privileged exec mode• by default is not encrypted• can be encrypted, but with weak protocol

version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Fremont!enable password cisco enable secret 5 $1$IpVp$omFRfC1zaVwq.9UOCL3lB.

!

Enable password

No encryption of enable password


enable password enable password - continued- continued

• leftover from older versions of IOS• only used if the enable secret password has not been set


!


enable secret passwordenable secret password• controls access to privileged exec mode• is encrypted using the MD5 algorithm• takes precedence over enable password


!MD5 encryption algorithm


console passwordconsole password• controls access through console port• may be same or different than enable password

ip route 0.0.0.0 0.0.0.0 Serial1!line con 0 login password ciscoline aux 0 login password ciscoline vty 0 4 login password cisco !


aux passwordaux password• controls access through auxiliary port• may be same or different than enable or console passwords

ip route 0.0.0.0 0.0.0.0 Serial1!line con 0 login password ciscoline aux 0 login password ciscoline vty 0 4 login password cisco!


vty passwordvty password• controls telnet access through vty ports • may be same or different than enable, console, or aux passwords

ip route 0.0.0.0 0.0.0.0 Serial1!line con 0 login password ciscoline aux 0 login password ciscoline vty 0 4 login password cisco!


2 Passwords in Sequence2 Passwords in Sequence

1. Access to Router 2. Access to Privileged Mode

Console Password

Aux Password

VTY (telnet) Password

Enable Secret Password


Password StrategiesPassword Strategies• Strategy 1

– Use a special password for enable secret.– Use the same password for all others.

• Benefits– Easy to remember

• But– Blanket access to those who know password


Password StrategiesPassword Strategies• Strategy 2

– Use a special password for enable secret.– Use different passwords for:

• console• aux• vty 0 - 4

• Benefits– Fine-grained control

• But– Hard to remember


Password RulesPassword Rules• Always set the enable secret password.• Never make the enable secret password the same as others that show in plain text in the config file.• If you set the enable secret password, there is no need to set the enable password, which is weak because it is not encrypted.

However, setup forces you to set an enable password.


Strong PasswordsStrong Passwords• Never use a word in the dictionary.• Never use anything related to your name.• Ideally, use a special character or number in addition to letters.• A good method is to combine two short words with a special character:

– red$finger– proud^dog

(easy to remember, meets rules above)


Strong PasswordsStrong Passwords• In our lab, we break the rules to set easy to remember passwords:

– enable secret: chabot– all access passwords: cisco


What password to telnet in?What password to telnet in?

• cats#rats

ip route 0.0.0.0 0.0.0.0 Serial1!line con 0 login password donut*houndline aux 0 login password kiss@frogline vty 0 4 login password cats#rats!


What password to console in?What password to console in?

• donut*hound



What password to connect with modem?What password to connect with modem?

• kiss@frog



What password to enter privilged mode?What password to enter privilged mode?

• high-hat (encrypted secret password)

version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Hayward!enable password apple&candy enable secret 5 $1$IpVp$omFRfC1zaVwq.9UOCL3lB.

!

Chabot College

Documents

Transcript of Chabot College