Erasing Enable Passwords

If you forget an enable password or secret, you can erase all enable passwords and secrets.

Two commands allow you to erase passwords and secrets: erase secrets and service unattended-password-recovery. It is important to fully understand the purpose of these commands and how they work with each other.

The erase secrets command can be used to delete all existing passwords. To use this command, you must be physically present at the router to complete the operation. After the command has been executed, you have a finite number of seconds to press the software reset button on the SRP module. You can execute this command from the console or any vty.

The service unattended-password-recovery command provides you with a way to delete existing passwords and secrets without physically being present at the router. You must have the proper privilege level to execute the command, and you can execute it from either the console or any vty.

When you execute service unattended-password-recovery, you change the behavior of erase secrets. You can now delete passwords and secrets from the console by executing erase secrets without a time restraint or having to be physically present at the router. When you use the no version of service unattended-password-recovery, you revert the functionality of erase secrets to the factory default setting.

To erase all enable passwords or secrets:

  1. Log in to the router.
  2. Erase the existing enable password or secret. Specify the number of seconds to allow for the erase operation.
    host1>erase secrets 60
  3. Within the time limit that you specified for the erase secrets command, press the recessed software reset button on the primary SRP module (see Figure 25).

    Figure 25: Location of the Software Reset Button

    Location of the Software Reset Button

    Note: If you do not press the software reset button within the time limit, the system will not erase the password, and you will need to repeat the process.

Related Documentation