When we think about device access right it's really important to think about how you create the passwords and also using logout timers. Now logout timers are important because sometimes you are on the console and you're configuring something and then a friend of yours asks you to take a look at something or maybe hey you want to grab a cup of coffee and you might forget to log out of the session. So with the logout timer it does that automatically for you. Probably, I don't know, three to five minutes is good. You know when you're troubleshooting what makes sense but never look more than five minutes that that would be my personal recommendation. So you never want to leave passwords in clear-text in configuration files. Configuration files get sent around, sometimes to a vendor and you want to make sure that your passwords and credentials are not going to somebody that's unauthorized. Right? They shouldn't have visibility to that. So you want to make sure that you use features and functionalities in your routers that will encrypt your important passwords. In a Cisco router this is a feature or functionality called service password encryption. That's the command that you use. Now you want to make sure that you understand what kind of encryption is used because you want to make sure that it's not very easily reverse engineered and Cisco has two ways of doing this. One is called the password command so I can say username merike password and let's say I used letmein. Alright then when I use the service password encryption command that password letmein gets encrypted however the problem is that this is a Cisco proprietary encryption mechanism it's only a bit shift it's very easily reverse engineered. You should not use this. Much better is using the secret command because that is using cryptographic protection. So if I say username merike secret letmein and I use the command service password encryption in the configuration file the string letmein will be garbled, it'll be an md5 hash and it cannot be decrypted. So the important part here is when you're using functionality that will encrypt your passwords in a configuration file do understand how it is encrypted and make sure that it's not easily reverse engineered. You also want to authenticate individual users. This is important because of operational means. If you have group passwords and let's say you have five or ten people that have access to a device if one person leaves then you have to change the credential for everybody, right, because it's a group password. Another issue is that if somebody had done something nefarious to the device maybe they were angry at their boss or you know maybe they were asked to leave but they still had access to the device you don't necessarily have accountability of who did something or who did that damage. So having individual credentials is a much better practice.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.