Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment857W - Integrated Services Router
11121314151617181920
88 Chapter 3: Defending the Perimeter
Use a mixture of alphabetic (both uppercase and lowercase), numeric, and special
characters.
The password should not be a common word found in a dictionary.
Create a policy that dictates how and when passwords are to be changed.
When an administrator initially either sets up a router from the factory and chooses to run
the setup script or issues the setup command, the System Configuration dialog appears. The
administrator is prompted to enter basic router configuration parameters, including the
passwords described in Table 3-7.
Even after the System Configuration dialog completes, and the router is functioning in a
production environment, administrators can still change the router passwords. For example,
the enable secret password global configuration mode command can be used to set the
router’s enable secret password. Consider Example 3-1, which shows an enable secret
password being set to Cisc0Pr3$$. Notice how the enable secret password then appears in
the running configuration. The string of characters shown is not an encrypted version of the
password. Rather, the string is the result of an MD5 hash function, which always yields a
128-bit hash value that is also known as a “digest.
NOTE A space is a valid special character that can be used in a password. However,
any leading space (that is, one or more spaces at the beginning of the password) is
ignored.
Table 3-7 Passwords Configured During the SETUP Script
Password Type Description
Enable secret
password
This password is used to permit access to a router’s privileged
mode. The password is stored in the router’s configuration as an
MD5 hash value, making it difficult for an attacker to guess and
impossible to see with the naked eye.
Enable password This password is not encrypted (or hashed) by default. Therefore,
the enable password is considered weaker than the enable secret
password. However, Cisco IOS still supports the enable password
for backward compatibility. For example, if the IOS version on a
router were rolled back to a version that supported the enable
password but not the enable secret password, the enable password
would offer some level of security.
vty password When an administrator connects to a router over a network
connection (such as a Telnet or SSH connection), she might be
prompted to enter a vty password to have access to the virtual tty
line to which she is connecting.