IOS Local Password Security Features

I've been studying some of the security features built in to IOS. These mostly have to do with physical security and local password security built into IOS.

For instance, a feature that I've used for several years is the "service password-encryption" command. This command takes the plain-text passwords located in AUX, CON, TTY ports, and enable password command and encrypts them with a password hash derived from Cisco. It's not perfect, but will do in a pinch. One thing that you will want to do immediately after executing a "service password-encryption" is executing a "show run". The reason behind this is that the passwords won't change from plain-text to encrypted until that happens.

Router(config)#service ?
password-encryption Encrypt system passwords

If you are unable to protect your Cisco equipment physically, the best option is to disable the password recovery function. Be sure to have some other option to do password recoveries however, as you will not be able to do password recoveries from RMON.

This feature isn't listed as a command when executing a "?" command, but the command exists in IOS 12.3(14)T or newer.

Check out the documentation: no service password-recovery

Router(config)#no service ?
alignment Control alignment correction and logging
compress-config Compress the nvram configuration file
config TFTP load config files
dhcp Enable DHCP server and relay agent
disable-ip-fast-frag Disable IP particle-based fast fragmentation
exec-callback Enable exec callback
exec-wait Delay EXEC startup on noisy lines
finger Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber enable line number banner for each exec
nagle Enable Nagle's congestion control algorithm
old-slip-prompts Allow old scripts to operate with slip/ppp
pad Enable PAD commands
password-encryption Encrypt system passwords
prompt Enable mode specific prompt
pt-vty-logging Log significant VTY-Async events
sequence-numbers Stamp logger messages with a sequence number
slave-log Enable log capability of slave IPs
tcp-keepalives-in Generate keepalives on idle incoming network
tcp-keepalives-out Generate keepalives on idle outgoing network

Router(config)#no service password-recovery
Executing this command will disable password recovery me
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]:

Other options include encrypting the passwords in MD5 using the "secret" sub command. For instance, "enable secret" and username james secret t0ps3cr37pwd". Unfortunately, the "secret" sub command isn't available on the AUX, TTY, or CON ports.

You can also set up minimum password lengths and password retry limits.

Router(config)#security ?
authentication Authentication security CLIs
passwords Password security CLIs

Router(config)#security auth
Router(config)#security authentication ?
failure Authentication failure logging

Router(config)#security authentication fa
Router(config)#security authentication failure ?
rate Authentication failure threshold rate

Router(config)#security authentication failure ra
Router(config)#security authentication failure rate ?
<2-1024> Authentication failure threshold rate

Router(config)#security authentication failure rate 5 ?
log log a message if the Authentication failures over the last one minute
equalled this number

Router(config)#security authentication failure rate 5 l
Router(config)#security authentication failure rate 5 log ?

Router(config)#security pas
Router(config)#security passwords ?
min-length Minimum length of passwords

Router(config)#security passwords min
Router(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords

Router(config)#security passwords min-length 16 ?

Router(config)#enable ?
last-resort Define enable action if no TACACS servers respond
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords

Router(config)#enable sec
Router(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password

Router(config)#enable secret