Configuring passwords and securing up devices is very important and we must configure the password on different layers to prevent unauthorized access to the device.
Due to the increased number of cyberattacks, networks now a day are more prone to online attacks rather than physical damage to the devices and hackers continuously try to find out the loophole in the network to compromise the security. Every year organizations lose thousands of dollars due to cyber-attacks and sometimes important data is lost permanently. Most of these attacks can be prevented if the security is properly implemented at every layer.
There are various types of devices available in the market to stop these attacks like advance firewalls, intrusion prevention systems, antivirus, etc however we should not ignore the basic security parameters like setting up a good password on the device. Organizations spend a large amount of money on expensive hardware to secure the networks however that can be of no use if security is not implemented at every layer.
In this lab, we will encrypt all the passwords on the device with one command.
When we configure passwords like Privileged Mode password, VTY line password, Console line password, etc. on our Cisco devices, these passwords are visible as a clear text in the running-config. This is a security vulnerability since anyone can view them just by looking at the running-config or start-up config. Even when you are checking the Cisco device configuration, someone could be watching over your shoulder. To fix this problem, we could use a command known as the ‘service password-encryption. This command encrypts all passwords and converts them into alphanumeric numbers. Hence, we can use this command to store and display the passwords in encrypted form for added security.
Service password-encryption command encrypts the password so just by looking at the password, no will be able to figure out or steal it however it does not provide complete protection as someone can easily copy that encrypted password from the running or startup-config and can find the used password by decrypting that, there are some sites available online that easily decrypt the password with just one click so we must use enable secret that use MD5 hash to encrypt the password which is a very powerful encryption and it is not easy to reverse engineer the hash.
Although password encryption should be enabled by default but it is not so we have to manually encrypt the passwords.
- Set encrypted privileged level password to cisco
- Encrypt all passwords
Router(config)#enable secret cisco
Router(config)#service password encryption