Securing Cisco Router Installations and
Administrative Access
Password-Creation Rules
Cisco router passwords are subject to the following restrictions:
■ 1 to 25 characters in length
■ Can include any alphanumeric characters, symbols, and spaces
■ Cannot have a number as the first character
■ Leading spaces ignored, but subsequent spaces (including trailing
spaces) not ignored
Types of Router Passwords
Many different types of passwords are used for Cisco IOS routers. The most
common ones are described here:
■ Enable secret—The enable secret controls access to privileged EXEC
mode on the router. The password is stored in a nonreversible one-way
Message Digest 5 (MD5) hash. If the enable secret is present in the
configuration, it overrides the enable password. To configure the
enable secret password, use the enable secret password command.
■ Enable password—The enable password controls access to privileged
EXEC mode on the router if the enable secret command is not
present. The enable password is stored in clear text in the configuration,
unless the service password-encryption command is present. To
configure the enable password, use the enable password password
command.
■ Line passwords—Access to a router’s tty lines can be controlled
either with AAA or with individual passwords applied to the lines.
AAA configuration is discussed later. To configure individual passwords
on a TTY line, use the password password command in line
configuration mode. Line passwords are stored in clear text in the
configuration, unless the service password-encryption command is
present. tty lines include the console port, vty lines for Telnet/SSH
access, the AUX port, as well as regular tty lines. The login command
must also be present in the line configuration for password prompts to
be displayed.