Leaflet
101
OL-11615-01
For more information about the service password-encryption command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec
_r1g.htm#wp1070450
The enable secret Command
The enable secret global configuration command is used to set the password that grants privileged
administrative access to the Cisco IOS software system. By default, no enable secret password is
enabled, and as a general best practice, one should always be set.
To set an enable secret password, use the enable secret global configuration command, as shown in the
following example:
Router(config)# enable secret Hard2Guess
Cisco IOS software also offers the older enable password command, but it is not recommended because
it uses a weak encryption algorithm. The enable secret command provides stronger encryption based on
MD5 hashing.
In addition, if no enable secret is set, and a password is configured for the console TTY line, the console
password might be used to get privileged access, even from a remote VTY session. This is not a
recommended practice, and makes for another good reason to configure an enable secret.
For more information about the enable secret command, refer to the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference
_chapter09186a008017cf1d.html#wp1081495
The security password min-length Command
Introduced in Cisco IOS software Release 12.3(1), the security password min-length global
configuration command provides enhanced security access to the router by allowing the user to specify
a minimum password length, eliminating common passwords that are prevalent on most networks, such
as lab and cisco. For example:
Router(config)# security password min-length
This command affects user passwords, enable passwords and secrets, and line passwords. After this
command is enabled, any password that is less than the specified length will fail. This command was
also integrated into Cisco IOS software Release 12.2(18)T.
For more information about the security password min-length command, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec
_r1g.htm#wp1081495
The security authentication failure rate Command
Introduced in Cisco IOS software Release 12.3(1), the security authentication failure rate global
configuration command provides protection against dictionary attacks. In a dictionary attack, automated
software attempts to log in using every word in a dictionary.
The security authentication failure rate command allows the user to define a maximum number of
consecutive unsuccessful login attempts, after which, device access is locked for a period of 15 seconds.
Additionally, this command can be configured to generate a syslog message every time the number of
unsuccessful login attempts exceeds the configured threshold rate.
The best practice is to configure a maximum threshold of 3 consecutive unsuccessful login attempts, and
to enable the generation of syslog messages, as shown in the following configuration.