The first line of defense on any Cisco device is the password configuration. This lab walks through the modern best practice: scrypt-hashed enable secret, AAA-aware user database, no plain-text passwords anywhere. The shortcuts you may have seen in older documentation (enable password, type 5 secrets, service password-encryption) are weakened by modern attacks; the scrypt-based algorithm-type scrypt form is the right answer in 2026.
What you will learn
- Why
enable secretbeatsenable password - The four password types: 0 (clear), 5 (MD5), 7 (Vigenere obfuscation), 9 (scrypt)
- How to configure scrypt-hashed enable secrets and usernames
- Console + vty line password best practices
What this lab does NOT cover
- SSH-specific config (next lab, sec-06)
- AAA with TACACS+/RADIUS (lab sec-07 covers AAA basics)
Topology
Download the CCNA Base Topology .yaml
3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch + 1 unmanaged switch.
Password types
Clear text
Type0
Modern verdictNever use
MD5
Type5
Modern verdictBroken; avoid
Vigenere (reversible)
Type7
Modern verdict
Never use - decoders are trivial
PBKDF2-SHA256
Type8
Modern verdictAcceptable
scrypt
Type9
Modern verdictUse this
