Device Security
Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to
follow:
• Use a password length of at least eight characters, preferably 10 or more characters.
• Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols,
and spaces, if allowed.
• Avoid passwords based on repetition, common dictionary words, letter or number sequences,
usernames, relative or pet names, biographical information, such as birthdates, ID numbers,
ancestor names, or other easily identifiable pieces of information.
• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly compromised, the window of opportunity for
the threat actor to use the password is limited.
• Do not write passwords down and leave them in obvious places such as on the desk or monitor.
On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not.
Therefore, one method to create a strong password is to use the space bar and create a phrase made
of many words. This is called a passphrase. A passphrase is often easier to remember than a simple
password. It is also longer and harder to guess.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
�Device Security
Additional Password Security
There are several steps that can be taken to
help ensure that passwords remain secret on
a Cisco router and switch including these:
• Encrypt all plaintext passwords with the
service password-encryption
command.
• Set a minimum acceptable password
length with the security passwords
min-length command.
• Deter brute-force password guessing
attacks with the login block-
for # attempts # within # command.
• Disable an inactive privileged EXEC
mode access after a specified amount of
time with the exec-timeout command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
�SSH
• stands for Secure Shell
• A secure, client/server protocol for encrypting and
transmitting data over a network.
• Authentication (recognition) of users by password, host,
or public key.
• Almost complete transparency to the end user.
• A better alternative to Telnet.
• Implementations for most operating systems.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
�SSH
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
�Device Security
Enable SSH
It is possible to configure a Cisco device to support SSH using the following steps:
1. Configure a unique device hostname. A device must have a unique hostname other than the default.
2. Configure the IP domain name. Configure the IP domain name of the network by using the global
configuration mode command ip-domain name.
3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to
do so, a unique authentication key must be generated by using the global configuration command crypto
key generate rsa general-keys modulus bits. The modulus bits determines the size of the key and can
be configured from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However, larger
bit values also take longer to encrypt and decrypt information. The minimum recommended modulus length
is 1024 bits.
4. Verify or create a local database entry. Create a local database username entry using
the username global configuration command.
5. Authenticate against the local database. Use the login local line configuration command to
authenticate the vty line against the local database.
6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify
multiple input protocols including Telnet and SSH using the transport input [ssh | telnet] command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
