Handle basic password management on your Cisco router

Managing passwords on your Cisco router isn't difficult once you learn a few configuration fundamentals. Learn how to set a more secure password and recover passwords that have been lost or forgotten.

The Cisco Certified Network Associate (CCNA) is a coveted certification, and for good reason: It takes a considerable amount of knowledge to earn it. But you don't have to be an expert to complete basic router administration. In fact, once you become familiar with the two modes of operation and learn how to use their built-in help system, you're ready to perform useful tasks, such as setting and managing passwords and updating the router’s software.

Changing password defaults to boost security
By default, your Cisco router is set to use an Enable password. This password is unencrypted, however, so you should avoid using it. To tighten your router security, you can set an Enable Secret password, which is encrypted. When set, the Enable Secret password takes precedence over the Enable password. The router will use the latter only if the former hasn't been set.

To set an Enable Secret password, you'll need to switch to Privileged Exec mode. You can then go into Terminal Configuration mode (or Global Configuration mode) to change the router configuration—in this case, to set or change the password. To enter Global Configuration mode, use this command:
config t"""")
Router#config t

Note that the "t" is short for "terminal." When you press [Enter], you'll see this prompt:

Now you're ready to enter your Enable Secret password. (Remember that Cisco router passwords are case-sensitive.) Let's say you want to use the password BigSecret. Here's how to set it:
Router(config)#enable secret BigSecret

You should always end your configuration session by pressing [Ctrl]Z, so hit that key combination after entering the command. To test your new password, type disable at the router prompt to return to the User Exec prompt (>). Now go back into Privileged Exec mode by typing enable. This time, you'll be prompted for a password—the Enable Secret password you just set up:

Setting other key passwords
Another important password is the Virtual Terminal (vty) password. Unless this password is set, you can't telnet into the router. To set the password, go into Global Configuration mode again. Here are the commands to create the password alsosecret:
Router(config)#lin3 vty 0 4
Router(config-line)#password alsosecret

The 0 and 4 in the first command line indicate that the password will apply to all five available vty lines, from 0 to 4. The ^Z in the last command line is what appears if you press [Ctrl]Z. To gain access to the router via its console port, you'll have to set up a console password as follows (again in Global Configuration mode):
line con 0
password anothersecret

Use a 0 in the first command line and end your configuration session with [Ctrl]Z. To save all these configuration changes so that they're still in effect the next time the router is restarted, you should copy the router's running configuration to its startup configuration. To do so, you must be in Privileged Exec mode. Using the abbreviated form for the commands running-configuration and startup-configuration, issue the following command:
RouterName#copy run start

Press [Enter], and it's done.

Working around forgotten passwords
What if you forget the encrypted Enable Secret password? Or maybe you don't have access to it to start with because the admin who configured the router has left that company or can't remember the password—that does happen.

The trick is to bypass the router's startup configuration, located in nonvolatile RAM (NVRAM), at boot time. To do that, you must connect to the router via its console port and get into what is known as ROM monitor mode (ROMMON mode). This is the key to the lost password kingdom.

The recovery procedure differs depending on router model. For details of the different procedures, check out Cisco's site. Be sure to find the correct procedure for your router model before attempting the recovery. To give you a general idea of how the process works, we'll look at how to recover the Enable Secret password for the 2500 and 4000 series routers.

First, turn off the router and connect a computer to the router's console port using the RJ-45-to-RJ-45 rollover cable and an RJ-45-to-DB-9 or RJ-45-to-DB-25 adapter, which is normally supplied with the router. Next, fire up terminal emulation software (such as Hyper Terminal, which is usually shipped with Windows) and configure the settings like this:
  • 9600 baud
  • 8N1
  • No flow control
  • No parity

Turn on the router, and within 60 seconds, press the emulation software's [Break] key—in the case of Hyper Terminal, it's [Ctrl][F6]Break].

If the Break command was successful, you should see the prompt:

or just:

depending on your router model. You're now in ROMMON mode. If you're at the rommon> prompt, type the command:

If you're at the > prompt, type the command:
o/r 0x2142

After issuing the command confreg, you'll see the router's current settings and you'll be asked:
Do you wish to change the configuration? y/n [n]:

Press y to select yes. Choose the default answers to the other questions (press [Enter] or n, for no) until you're asked:
Ignore system config info? y/n [n]:

Press y. This is the crucial question, as you're actually being prompted about changing a configuration register bit—a key to what we're trying to achieve. Answering yes will set the bit to 1, which is what we want to do.

Accept the defaults for the rest of the prompts until you're asked whether you want to change the configuration. This time, press n. You'll now be told that you have to reset or power-cycle for the new configuration to take effect. Issue the command reload or power off and back on again.

If you issued the command o/r 0x2142 instead of confreg, you'll go through a similar procedure and have to reboot. Do this with the command:


At this point, you have access to the router without being prompted for the Enable Secret password. After restarting, the router will prompt you about entering Setup mode. Press n. Now you're ready to go into Privileged Exec mode by typing enable (or just en) at the prompt. Notice that you aren't prompted for the Enable Secret password.

You can save the startup configuration to the running configuration if you still want to use the configuration that's in NVRAM. We'll run through the process so we can see that lost Enable Secret password. To save the configuration, use the command:
RouterName#copy start run

and type:
RouterName#show run

All will be revealed (including some other information about your running configuration). Now you can change your Enable Secret password, as described above. Then, restore the configuration register to its original value using the following commands:
RouterName(config)# config-reg 0x2102
RouterName(config)# end

Save changes to the configuration with the command:
RouterName# copy run start

Finally, restart the router and your work is done.

More to come
In our final article in this series, we’ll look at how to back up and update the router software, and we'll explore some useful commands.


Editor's Picks