IOS Local Password Security Features

I’ve been studying some of the security features built in to IOS. These mostly have to do with physical security and local password security built into IOS.

For instance, a feature that I’ve used for several years is the “service password-encryption” command. This command takes the plain-text passwords located in AUX, CON, TTY ports, and enable password command and encrypts them with a password hash derived from Cisco. It’s not perfect, but will do in a pinch. One thing that you will want to do immediately after executing a “service password-encryption” is executing a “show run”. The reason behind this is that the passwords won’t change from plain-text to encrypted until that happens.

If you are unable to protect your Cisco equipment physically, the best option is to disable the password recovery function. Be sure to have some other option to do password recoveries however, as you will not be able to do password recoveries from RMON.

This feature isn’t listed as a command when executing a “?” command, but the command exists in IOS 12.3(14)T or newer.

Check out the documentation: no service password-recovery

Other options include encrypting the passwords in MD5 using the “secret” sub command. For instance, “enable secret” and username james secret t0ps3cr37pwd”. Unfortunately, the “secret” sub command isn’t available on the AUX, TTY, or CON ports.

You can also set up minimum password lengths and password retry limits.

February 17, 2011

Posted In: IOS, IOS Security, Security