There are 5 types of passwords :

enable secret,  enable,  aux,  console,  vty (telnet)


to set an enable password:                    enable password password

to set an enable secret password:          enable secret password


Encrypting all 4 passwords:  enable, con, aux, and vty


The “enable secret” password is encrypted by default – but the “enable” password is not

The three line passwords are also not encrypted by default


These two commands encrypts all four passwords at once.  Oddly, you have to issue the command and then turn the command off.  Go to config mode and type:


service password-encryption

no service password-encryption



Enable Secret (Priveledged EXEC Mode Password)


Encrypted password (if you tyoe “sh run” the password is shown as a bunch of encrypted text) that is set in the config mode, and takes precedence over the enable password (if one is set).


To enable a password for Priviledged Mode:

1) get into config mode

2) type: enable secret password           - substitute in your own password

                                                            - for example, “enable secret midnight1”


At this point, once you log out, to re-enter priveledged mode, you will be prompted to enter the password.


 to disable the Priveledged EXEC mode password:

1)      get into config mode

2)      type:           no enable secret            (you do not need to enter the password to disable it)




Unencrypted password (if you tyoe “sh run” the password is shown in the clear).  The enable password is used when there is no enable secret password.  It is only used with older IOS (pre 10.3), and can only be encrypted by issuing an additional “service password-encryption” command.  This password can be set up in setup or config mode as follows:


enable password password



Auxiliary, Console,  and vty (Telnet) Passwords


Aux (dial-up into the router via modem) is rarely used, while console is to grant access to a laptop with serial cable connected to the router’s console port, and vty is to grant access to a remote user trying to telnet into the router.  Three commands are needed to se up a password:  line, login, and password.  Two commands are needed to remove a password:  line and no login. You do not need to re-enter the password when disabling it.


To see the options with the line command, as well as numerical options, go to config mode and type :    line ?

You will see the following response :


<0-6>              First Line Number

aux                   Auxiliary Line

console Primary Terminal Line

vty                    virtual terminal


The <0-6> first line numbers correspond to seven “virtual lines”, which are actually are needed as part of the other line commands (you need to tell the router which number you are assigning to a line).  These lines are input lines that the user can access, and as such, can be protected with passwords.


NOTE:  by default, console does not require a password, but both aux and vty do require a password to be set before access can be granted.


vty password (Telnet only)

This sets up a “user mode” password which will be necessary for anyone trying to telnet into the router (actually, you must set up a user mode password, in order to enable the Telnet feature).  Telnet is the ability to login and configure the router from a remote dial-up Telnet connection.  You need to protect this feature by setting a vty password, while in config mode.  There are three steps :

1)      assign virtual lines to the telnet feature using the line command.  Within the command, you need to type in the range (enter the first and last line number) of lines that will be captured and assigned the same password.  Only five of the seven lines can be used, for Telnet.  By assigning al five of them, when someone telnet’s into the router, all 5 lines will be available.  For example:             “line vty 0 4”

2)      set the authentication ON which means the user will be presented with a prompt (enable the login by typing “login”) – you can disable the authentication by typing “no login”

3)      set the password by typing “password password”  (for example, “password onion”).  You want to use the same password for all lines, because when someone Telnet’s in they have no control over which line is offered to them.



config t

line vty 0 4                    (set up all 5 vty lines, 0 through 4, for a Telnet password)

login                             (tell the router to display a prompt)

password onion            (assigns the password)


Now if anyone tries to telnet in, they will be asked to enter the password, “onion”. 

NOTE:  the reason you always want to configure all 5 telnet lines at once with the same password, is because when someone telnet’s in – they never know which line they will be coming in on.


To remove:

            line vty 0 4

            no login


IP address to Telnet into  -  note that the router itself does not have an IP address – it is the Interfaces that do.  Use the first interface that is connected to that router.  For example, if you want to Telnet into a router with 3 interfaces, use the one that you can reach the most directly (the interface closest to you).


Auxiliary Password  (must be in config mode to set – must use line 0)


line aux 0


password onion


Console Password  (must be in config mode to set – must use line 0)


Router (Config) # line con 0

Router (Config-line) # login

Router (Config-line) # password onion


NOTE:  notice how the prompt changes to an extended mode – this is one of the few extended modes that are not the “int” mode


To remove a password :


line aux 0

no login


or for the Console Password


line con 0

no login