Some one post this question on the board I am reposting it here so we can get some thoughts from very experinced guys like you,here we go:
"I have a question for you guys. I have been giving some thought about the configuration register and password recovery. It sure sounds to me that it is an easy thing to do to change your secret password if you forget it. Which means ultimately, is there any real security? Maybe Im misunderstanding, but it seems to me that if I had a malicious user within the company I work for, and they actually have PHYSICAL access to the server room (where the router would be), AND IF THEY KNEW HOW TO DO THIS, that this could be a real problem. Am I misunderstanding this? Because the way I understand it is that you can cause a break during a reboot of the router, change the configuration register to bypass startup-config (NVRAM), and then reset the secret password. Again, change the configuration register and reload. Now if someone knew this that was malicious, I (or you for that matter) could be up the creek in poo poo. Anyone have any comments OR please do correct me if my thinking is off base. Thanks in advance."