cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9315
Views
0
Helpful
9
Replies

What is the best way to configure password in Cisco IOS?

kevinwong11
Level 1
Level 1

I am running IOS 15.2(4) on a 1921 Router

What is the best way to configure the password for the router?  I have already tried once and managed to lock myself out of another switch.  I would like to use the most secure method which encrypts the password.

 

Current Config:

username admin privilege 15 password 0 cisco123

1 Accepted Solution

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi Kevin,

 

Use the key word secret instead of password to have the more secured and encrypted password.

 

The syntax which you use will display the password in clear text.....

R1(config)#username test privilege 15 password 0 test
R1(config)#exi
R1#sh runn
*Mar  1 00:00:25.523: %SYS-5-CONFIG_I: Configured from console by console
R1#sh runn | in test
username test privilege 15 password 0 test
R1#

 

If you use the secret keyword then it will get encrypted.

 

R1#sh runn | in test1
username test1 privilege 15 secret 5 $1$PV6g$sGMYxxmW8hD9Cdy7TsmHF0
R1#

 

 

Regards

Karthik

View solution in original post

9 Replies 9

nkarthikeyan
Level 7
Level 7

Hi Kevin,

 

Use the key word secret instead of password to have the more secured and encrypted password.

 

The syntax which you use will display the password in clear text.....

R1(config)#username test privilege 15 password 0 test
R1(config)#exi
R1#sh runn
*Mar  1 00:00:25.523: %SYS-5-CONFIG_I: Configured from console by console
R1#sh runn | in test
username test privilege 15 password 0 test
R1#

 

If you use the secret keyword then it will get encrypted.

 

R1#sh runn | in test1
username test1 privilege 15 secret 5 $1$PV6g$sGMYxxmW8hD9Cdy7TsmHF0
R1#

 

 

Regards

Karthik

Thanks for the help Karthik

 

What would be the best way to change my password?

 

Should I create a second username and password first and then delete the first one?

Hi Kevin,

 

You can give the password change with the same username... it will overwrite it...

 

say your present password is like this

username test1 privilege 15 secret 5 $1$PV6g$sGMYxxmW8hD9Cdy7TsmHF0(encrypted one)

 

conf t#username test1 privilege 15 secret <new password>.

 

It will get automatically overwritten with the updated new password.

 

Regards

Karthik

 

Cisco IOS will not let me use a type 5 password.  This is the error message I receive: 

 

ERROR: The secret you entered is not a valid encrypted secret.

To enter an UNENCRYPTED secret, do not specify type 5 encryption.

When you properly enter an UNENCRYPTED secret, it will be encrypted.

 

I tried generating an MD5 hash and inputting that in and that did not work either.  When I do not specify type 5 it will default to using an encrypted type 4 password.

 

Also, what is the difference between these two enable secret commands?

 

enable secret 5 password

 

username admin privilege 15 secret 5 password 

 

 

Hi Kevin,

 

enable secret <new password>

username admin privilege 15 secret <new password>

 

you need to omit 5 during the password change.... that will come in sh runn after the encryption....

 

Regards

Karthik

Hi Kevin,

 

Also enable this command in your box.

service password-encryption..... so that if you give password keyword also it will still encrypt..... but it will be encrypted on method 7, which can be easily poosible to crack using many online tools..

 

Regards

Karthik

When i omit the 5 it encrypts with level 4.  Is there a way to change the default setting to level 5?

Hi Kevin,

 

No need to worry about encryption type 4 or 5.... both are secured....

router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
router#(config)#enable secret ?
  0      Specifies an UNENCRYPTED password will follow
  4      Specifies an SHA256 ENCRYPTED secret will follow
  5      Specifies a MD5 ENCRYPTED secret will follow
  LINE   The UNENCRYPTED (cleartext) 'enable' secret
  level  Set exec level password

I can say encryption type 4 is more secured. Because encryption type 5 (MD5) is getting depreceated.

 

If you still want to do that... then you need to do like this

 

enable secret 5 <MD5 Encrypted Password>

username admin secret 5 <MD5 Encrypted Password>

you need to generate it from the MD5 available device (old IOS routers) or through the online tool to generate it.

 

But you can leave with type 4 which is more secured.

 

Regards

Karthik

kevinwong11
Level 1
Level 1

Cisco IOS will not let me use a type 5 password.  This is the error message I receive: 

 

ERROR: The secret you entered is not a valid encrypted secret.

To enter an UNENCRYPTED secret, do not specify type 5 encryption.

When you properly enter an UNENCRYPTED secret, it will be encrypted.

 

I tried generating an MD5 hash and inputting that in and that did not work either.  When I do not specify type 5 it will default to using an encrypted type 4 password.

 

Also, what is the difference between these two enable secret commands?

 

enable secret 5 password

 

username admin privilege 15 secret 5 password 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: