This article covers how to disable password recovery for certain devices. Updated 2018.
So I found there was somewhat of a lack of documentation from Cisco on this and not a lot of articles either. In addition, some of the articles show the same information which actually doesn't apply to certain devices. I noticed a lot of the search results did not include the info I needed because there are tons of articles about how to get into the device if you forgot the password (which this prevents). I ended up opening a TAC case to get a quick answer in order to finish my configuration template.
The problem I had is with some of the methods that are listed in like 5+ configuration guides and blogs I sifted through is that they are usually only applicable to switches and not newer routers (like IOS-XE ISR series). Therefore I thought it would be good to post the configuration required to disable the password recovery mechanism for different Cisco devices.
The Why
The advantage of disabling password recovery is that if the device is stolen or is sold without wiping the configuration, the only way to get into it without knowing the password is to delete it's configuration. The advantage of forcing the user to select "delete the configuration" and not being able to enter password recovery mode is that the user will not be able to see your configuration stored on the device after bypassing the password prompt.
The use case for this would be if you have something like an 8 port switch in a weatherproof box on a pole in park or if the devices are easily accessible/could be stolen. I know there will be some naysayers out there, but c'mon guys you should be backing up all your configurations.
Quick story - When I purchased my first 2 devices off E-bay for my certification studies I found that it was prompting for a password, so I had to search and find out how to perform the password recovery. After doing all the steps I found that both devices actually belonged to 2 separate municipal entities, who I am sure would have been unhappy finding out the switches were sold without the configuration being deleted (I deleted them promptly).
Configurations:
Catalyst 2960X Switches (IOS) –
The default config register allows the command to be added.
Just enter the command, save and reboot.
# config t
# no service password-recovery
# exit
# wr
# reload
Ensure password recovery is disabled on boot up. A method to test with this switch is to hold down the "mode" button on the front of the switch to send a break and attempt to enter password recovery.
ISR 1900/2900 series routers (IOS)–
Change config register to 0x2102 (required to enter disable password recovery)
then enter in the command, save and reboot.
# config t
# config-register 0x2102
# no service password-recovery
# exit
# wr
# reload
Confirm password recovery is disabled during boot up by causing a break during boot up.
ISR 4000 series routers (IOS-XE) –
Change config register to 0x2012 (required to enter disable password recovery)
then enter in the command, save and reboot.
# config t
# config-register 0x2012
# no service password-recovery
# exit
# wr
# reload
Confirm password recovery is disabled during boot up by causing a break during boot up.
Issue a show version on devices to see your current config-register, after boot you can also issues a show run | in password-recovery (some platform might not support).
