The current Cisco IOS supports a fairly new command: service password-recovery, or perhaps more specifically, no service password-recovery. This is a Global Configuration mode command that modifies the behavior of your password recovery process.

Anyone with console access and the ability to reboot the Cisco device can set her own enable or secret password on the device. Recovery is more about being able to recover a device that has a password you have forgotten or lost by setting a new password, rather than actually recovering the password.

This poses a bit of a security risk, especially because you may not notice the password has been changed. You may notice the reboots of the device, but that is all.

By adding the no service password-recovery to your configuration, the password recovery process does not allow you to recover the password without erasing the entire configuration. If your device configuration is erased, someone has likely been messing around with your equipment.

The other advantage of no service password-recovery is that it offers you the advantage of not having your configuration fall into the wrong hands for devices you have removed from the network and prevents the password from being reset for devices that are still on the network. When the device is recovered, with the configuration lost, you know something is up with the device.

If you plan to enable this feature for security, make sure that you maintain configuration backups of your device.

Here is the code example to enable this feature on your Cisco device:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#no service password-recovery