Encrypt router passwords Cisco routers don't encrypt passwords in their configuration by default. However, you can easily change this. Here's an example: router(config)#service password-encryption -------------------------------------------------------------------------------- The initial "setting of password" can only be done from the Console Port on a new/reset router. There are 5 separate Passwords you need to protect your Router: console.......: protects the Console Port auxilary......: protects the AUX Port (for your modem) TTY...........: protects against un-authorized Telnet Port logons enable........: guards the use of the Enable Mode Super-user status enable secret.: an Encrypted Secret form of the Above (better!) Configure password for the Console port: router(config)#line console 0 router(config-line)#login router(config-line)#password cisco router(config-line)#ctrl-z Configure password for the Auxilary port (modem): router(config)#line aux 0 router(config-line)#login router(config-line)#password cisco router(config-line)#ctrl-z Configure passwords on the Virtual (VTY) Ports: Configuring the VTY password is very similar to doing the Console and Aux ones. The only difference is that there are 5 VTY virtual ports, which are named 0, 1, 2, 3, and 4. You can use the shortcut 0 4 (a zero, a space, and 4) to set all 5 passwords at the same time: router(config)#line vty 0 4 router(config-line)#login router(config-line)#password cisco router(config-line)#ctrl-z Configure "password" for the Enable Mode: router(config)#enable password cisco router(config)#ctrl-z Configure "secret" for the Enable Mode (hashed): router(config)#enable secret ciscox router(config)#ctrl-z VTY Ports are rather a special case, since they are not real ports. In other words, you won't find a Port on the back of your Router labelled VTY. They are what could be called "Virtual Ports" that wait patiently for a remote connection, usually using Telnet, to log in. If you don't set these, you won't be able to Telnet in to your router. Usually with newer equipment you'll be using the "Enable Secret", which is a better password because it is stored in an encrypted form. However, it is best to also set an Enable Password because if for some reason your computer has to boot up into an old version of the Cisco IOS (say for problems that make it go into ROM mode) then the "Enable Secret" won't work. But the old-fashioned "Enable" will. The Enable Secret cannot be the same as the Enable Password. Also, the Enable Secret takes over from the regular Enable password. This means if you set an Enable Secret Password, your Enable one will NOT work. -------------------------------------------------------------------------------- Configure a Login Account on the Router I highly recommend configuring a real username and password account on routers and switches. By doing so, that means someone needs both a password and a username to gain access. In addition, I recommend using a secret password for the username—not just a regular password. This encrypts the password with strong MD5 encryption and enhances security. Here's an example: router(config)#username root secret letmein router(config)#username root password letmein router(config)#username user password letmein After you've configured the username, you must enable the lines to use that name. Here's an example: router(config)#line con 0 router(config-line)#login local router(config)#line aux 0 router(config-line)#login local router(config)#line vty 0 4 router(config-line)#login local