Fundamentals

Password Policies and MFA for Network Devices

Cisco IOS show login failures output listing a blocked brute-force attacker
In: Fundamentals, CCNA, Network Security

Every network device ships with the same weakness: a login prompt that will accept a guessed password forever unless you tell it not to. Hardening that prompt is a CCNA domain 5 objective and a real-world necessity, and it is more than "set a strong password." This article covers the IOS password-type hierarchy, how to enforce a minimum length, how to lock out brute-force attempts, and where multi-factor authentication fits, all grounded in real Cisco IOS XE output (including an actual brute-force attempt hitting a lab router). It is part of the Network Fundamentals guide.

The IOS Password-Type Hierarchy

Not all stored passwords are equal, and IOS labels each with a type number. The difference is how the password is stored in the config, which decides how fast an attacker who reads your config can recover it. When you configure a plaintext password on a modern IOS XE image, the device itself warns you:

R1(config)# username helpdesk password cisco123
 WARNING: Command has been added to the configuration using a type 0 password.
 However, recommended to migrate to strong type-6 encryption

That "type 0" is the tell: the password is stored in cleartext. Compare it to a properly hashed credential from the same device:

R1# show run | include secret
username cisco privilege 15 secret 9 $9$866GqyqM2IY7Sk$3ZDbsO6QtTVaR1U8dKmRwQWO6EoXCWa3cyApcAHPJnI

The 9 after secret is the type. Here is the hierarchy, worst to best:

Type 0

Cleartext. Anyone who reads the config has the password. Never use in production.

Type 7

Cisco's reversible "encryption" from service password-encryption. Trivially decoded. Obfuscation, not security.

Type 5

Salted MD5 hash. Was the standard for years; now considered weak against modern cracking.

Type 8

PBKDF2 with SHA-256. Strong and standards-based.

Type 9

scrypt. Deliberately memory-hard, the strongest option IOS offers. This is what you want.

The practical rules: always use secret (which hashes) rather than password (which does not), prefer enable secret over enable password, and never rely on service password-encryption as anything more than shoulder-surf protection, because type 7 is reversible in seconds. On current images you can force the strong algorithm with username x algorithm-type scrypt secret y.

Enforcing a Minimum Length

A strong hash on a weak password buys you nothing. Set an organization-wide floor so nobody can configure a short one:

R1(config)# security passwords min-length 12

After this, any attempt to set a password shorter than 12 characters is rejected at the CLI. It applies to enable and line passwords going forward (existing ones are untouched until they are changed). This is the kind of guardrail that survives staff turnover: it does not depend on whoever is at the keyboard remembering the policy.

Locking Out Brute Force

The single most valuable hardening command for the login prompt is login block-for. It watches for repeated failures and, once the threshold is crossed, drops the device into "quiet mode" where it refuses all login attempts for a set period:

R1(config)# login block-for 120 attempts 3 within 60

Read it as: if there are 3 failed logins within 60 seconds, block all logins for 120 seconds. Here is that policy doing its job. From a Linux host, three SSH logins with a bad password were fired at the router in quick succession, and the device recorded every one:

R1# show login failures
Information about last 50 login failure's with the device

Username        SourceIPAddr    lPort Count TimeStamp
attacker        192.168.99.100  22    3     22:57:45 UTC Fri Jul 10 2026

The moment the third failure landed, quiet mode engaged, and the router logged both the failure and the lockout to its syslog server:

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: attacker] [Source: 192.168.99.100]
  [localport: 22] [Reason: Login Authentication Failed]
%SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 50 secs,
  [user: attacker] [Source: 192.168.99.100] [ACL: sl_def_acl]

Two things worth noting. First, quiet mode applies an ACL (sl_def_acl) that blocks everyone by default, so you can pair it with login quiet-mode access-class to keep your own management subnet exempt (otherwise you lock yourself out too). Second, this event went straight to a central log, which is how you would actually notice an attack in progress rather than discovering it after the fact.

SSH as the Transport

None of this matters if management traffic is in cleartext, so SSH (never Telnet) is the transport. A quick look at the negotiated parameters:

R1# show ip ssh | include SSH|Auth
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3

SSH version 2 only (version 1 is broken), a short authentication timeout, and a low retry count. The presence of publickey in the methods matters: key-based authentication removes the password from the equation entirely for automation and admin access, which is a stronger posture than any password policy.

Multi-Factor Authentication and Centralized AAA

A password is one factor: something you know. Multi-factor authentication (MFA) requires two or more of the classic three categories, and the CCNA expects you to name them:

Something you knowA password, PIN, or passphrase. The weakest factor on its own because it can be guessed, phished, or reused.
Something you haveA token, smartphone authenticator app, or a certificate on the device. Stops an attacker who only has the password.
Something you areBiometrics: fingerprint, face, retina. Common for endpoint and building access, less so for CLI device login.

Network devices do not run MFA prompts on their own. The way you get MFA (and centralized policy) onto a router or switch is to stop authenticating locally and hand the job to a central server via AAA. Instead of a username database on every box, the device asks a TACACS+ or RADIUS server, and that server can enforce MFA, tie logins to your identity directory, and log everything centrally. TACACS+ is Cisco's device-administration protocol (it can authorize individual commands); RADIUS is the standard for network access and is what 802.1X uses to authenticate devices onto switchports. Certificates fit here too: a device or user presents a certificate instead of (or alongside) a password, which is the "something you have" factor in machine form.

The progression to remember: local passwords are fine for a lab or a single device, but the moment you have more than a handful of boxes, centralized AAA is the answer, because you cannot enforce policy (or MFA, or clean offboarding) one router at a time.

FAQ

Should I use secret or password?

Always secret. It stores a hash (type 5, 8, or 9 depending on the command), while password stores type 0 cleartext unless you layer on service password-encryption, which only gives you reversible type 7. Use enable secret and username x secret y everywhere.

Is service password-encryption good enough?

No. It produces type 7, which is reversible with tools that have existed for decades. It stops someone glancing at your screen, nothing more. Treat any type 7 password as effectively cleartext.

Can login block-for lock me out?

Yes, if you don't exempt yourself. Quiet mode blocks all logins by default. Pair it with login quiet-mode access-class pointing at an ACL that permits your management subnet, so an attack from outside doesn't also lock out your NOC.

Does a router support MFA directly?

Not by itself. You get MFA by pointing the device at a centralized AAA server (TACACS+ or RADIUS) that enforces the additional factor. The device just delegates the authentication decision.

Key Takeaways

Use hashed secrets (type 8 or 9), never cleartext or reversible type 7. Enforce a minimum length with security passwords min-length so policy does not depend on memory. Lock out brute force with login block-for, exempt your own subnet, and ship the events to a syslog server so you actually see attacks. Move management to SSHv2 and, past a handful of devices, to centralized AAA where MFA and identity integration live. For the access-control side (authenticating devices onto the network with RADIUS), continue to the 802.1X guide, and see the Network Fundamentals guide for the rest of domain 5.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.