Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Setting and Erasing Passwords

    You can set the following passwords:

    • Enable passwords that control access to different groups of commands.
    • A console password that controls access to the console.
    • Passwords for individual vty lines or groups of vty lines.

    The following topics provide information on setting and erasing passwords:

    Privilege Levels Overview

    Different groups of commands are associated with privilege levels (Table 1). You can set enable passwords to allow users to access commands at different privilege levels.

    Table 1: Commands Available at Different Privilege Levels

    Privilege Level

    Commands Available


    help, exit, enable, and disable commands


    User Exec commands plus commands at level 0


    Privileged Exec show commands plus commands at levels 0 and 1


    All commands except support commands


    Support commands that Juniper Networks Technical Support may provide and all other commands

    To maximize security and usability, set different passwords for levels 1, 5, 10, and 15. By default, no enable passwords exist.

    Accessing Privilege Levels

    If users have access to the console, they automatically have access to privilege level 0. To access higher levels of privilege, they must enter the enable privilege-level command. When users specify a privilege level, the system determines whether there is a password at that level. If there is not, the system prompts the user for the password for the lower level closest to the requested level.

    Erasing Enable Passwords

    If you forget an enable password or secret, you can erase all enable passwords and secrets.

    Two commands allow you to erase passwords and secrets: erase secrets and service unattended-password-recovery. It is important to fully understand the purpose of these commands and how they work with each other.

    The erase secrets command can be used to delete all existing passwords. To use this command, you must be physically present at the router to complete the operation. After the command has been executed, you have a finite number of seconds to press the software reset button on the SRP module. You can execute this command from the console or any vty.

    The service unattended-password-recovery command provides you with a way to delete existing passwords and secrets without physically being present at the router. You must have the proper privilege level to execute the command, and you can execute it from either the console or any vty.

    When you execute service unattended-password-recovery, you change the behavior of erase secrets. You can now delete passwords and secrets from the console by executing erase secrets without a time restraint or having to be physically present at the router. When you use the no version of service unattended-password-recovery, you revert the functionality of erase secrets to the factory default setting.

    To erase all enable passwords or secrets:

    1. Log in to the router.
    2. Erase the existing enable password or secret. Specify the number of seconds to allow for the erase operation.
      host1>erase secrets 60
    3. Within the time limit that you specified for the erase secrets command, press the recessed software reset button on the primary SRP module (see Figure 1).

      Figure 1: Location of the Software Reset Button

      Location of the Software Reset Button

      Note: If you do not press the software reset button within the time limit, the system will not erase the password, and you will need to repeat the process.

    Setting a Console Password

    By default, there is no console password.

    To set a console password:

    1. Make sure that you know the enable password for the system.

      If you need to reset the enable password, see Privilege Levels Overview.

    2. Access Privileged Exec mode, and enter the enable password if prompted.
    3. Access Global Configuration mode.
    4. Access Line Configuration mode.
      host1(config)#line console 0
    5. Enable password checking at login.
    6. Specify a password.
      host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

    Note: To use an encrypted password or a secret, you must follow the procedure in Setting Basic and Enable Password Parameters to obtain the encrypted password or secret. You cannot create your own encrypted password or secret; you must use a system-generated password or secret.

    Erasing the Console Password

    If you forget the console password, you can erase the existing value and configure a new one. This action deletes all authentication for the console line. To erase existing passwords:

    1. Reboot the router by pressing the recessed software reset button on the primary SRP module (Figure 1) and then pressing the mb key sequence during the countdown.
    2. Disable authentication at the console level.
      :boot##disable console authentication

      If you remember the password at this point, you can override this action by entering:

      :boot##no disable console authentication
    3. Reload the operating system.

    When the operating system reloads, you can access the console without a password.

    Note: You can log in to the console without a password until you set a new password.

    Monitoring Passwords


    Used to display all passwords and secrets. The show secrets command displays only secrets configured by the user; it does not display inherited secrets.


    To display all passwords and secrets:

    host1#show secrets
                     Current Password Settings                 
             encryption         encrypted                   
    level       type         password/secret         mode   
    -----   ------------   --------------------   ----------
    5       7 (password)   zRFj_6>^]1OkZR@e!|S$   configured
    6       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    7       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    8       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    9       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    10      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    11      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    12      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    13      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
    14      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 


    Table 2 lists the show secrets command output fields.

    Table 2: show secrets Output Fields

    Field Name

    Field Description


    Privilege level

    encryption type

    Type of encryption

    encrypted password/secret

    Passwords and secrets in their encrypted form



    • configured—Configured password/secret
    • inherited— Indicates whether a secret was inherited from a lower password level

    Published: 2014-08-12