Password Recovery & Configuration Register

Mental model

You inherit a router. No one knows the enable password. The previous engineer left. Telnet/SSH won’t help — you can’t get past login. You need physical console access plus a power cycle.

The trick: tell the device to skip loading its startup-config when it boots. The device boots with no config (no passwords either), you log in, look at the existing startup-config (still safe in NVRAM), copy it into running-config, set a new password, save.

The setting that controls boot-time behavior is the configuration register — a 16-bit value stored in NVRAM that the bootloader (ROMMON) reads at power-on.

The configuration register — what each value means

0x2102   ← default. Normal boot. Load IOS from flash, load startup-config.
0x2142   ← password recovery. Boot but IGNORE startup-config in NVRAM.
0x2120   ← boot into ROMMON instead of IOS.
0x0000   ← boot into ROMMON (same intent, different bits).

The hex bits aren’t random — each bit toggles a behavior (console speed, boot source, etc.) but for CCNA you memorize the two important values.

The password-recovery procedure — Cisco router

1. Console in. Cable plugged into the console port, terminal at 9600/8/N/1.
2. Power-cycle the router.
3. During the first 60 seconds, hit Ctrl-Break (or Ctrl-] then break, terminal-specific). This drops you into ROMMON.

rommon 1 >

4. Set the config-register to ignore startup-config:

rommon 1 > confreg 0x2142
rommon 2 > reset

5. Device reboots, comes up with empty running-config. No passwords. You’re at the user prompt.

Router>
Router> enable     ← no password asked
Router#

6. Copy the saved startup-config into running-config (NOT the other way around — don’t overwrite NVRAM yet):

Router# copy startup-config running-config

You now have the previous engineer’s config running — interfaces, OSPF, ACLs, everything — but with privileged access.

7. Change the password and reset the config-register:

Router# configure terminal
Router(config)# enable secret NewStrongPassword!
Router(config)# config-register 0x2102
Router(config)# end
Router# copy running-config startup-config
Router# reload

Device reboots normally. You now have the working config plus the password you set.

Password recovery — Cisco switch (Catalyst)

Slightly different. Switches don’t use the config-register the same way:

1. Console in. Power-cycle.
2. Hold the Mode button on the front panel while plugging in power.
3. Switch boots into a special menu / switch: prompt.
4. Run:

switch: flash_init
switch: dir flash:
switch: rename flash:config.text flash:config.text.old
switch: boot

5. Switch boots with no config. Press n on initial setup wizard.
6. Restore the config:

Switch> enable
Switch# rename flash:config.text.old flash:config.text
Switch# copy flash:config.text running-config

7. Change password, write to startup-config:

Switch# configure terminal
Switch(config)# enable secret NewPassword!
Switch(config)# end
Switch# write memory

The security implication

If someone has physical console access, they can take over the device. Period. Password recovery is a designed feature of Cisco IOS.

Mitigations:

1. Disable password recovery

Router(config)# no service password-recovery

Now if someone enters ROMMON, they cannot bypass startup-config. The device boot prompt warns:

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED.

If you forget the password on a device with this set, your only option is to wipe the device and start fresh — losing the saved config. Use this only in high-security environments where you keep the config backed up externally.

2. Physical security

Locked racks. Camera coverage. Console cable not left plugged in. Standard datacenter discipline.

3. Strong console-line authentication

Console login should require AAA (RADIUS/TACACS+), so even if someone gets to the console, they need real credentials. Combined with no service password-recovery, you’ve raised the bar significantly.

Verifying current register value

Router# show version
...
Configuration register is 0x2102

Router# show version | include register

After changing in config mode, the change takes effect on next reload — show version shows the live value plus “(will be 0x2142 at next reload)”.

Common mistakes

1. Skipping the copy startup-config running-config step. You set 0x2142, rebooted, set a new password — but you skipped loading the old config. You now have a working blank device and you’ve lost OSPF, interfaces, ACLs, everything. (NVRAM still has the old startup-config — copy startup-config running-config rescues you.)

2. Forgetting to reset 0x2142 back to 0x2102. Device works fine for now, but on the next reboot it skips startup-config again — the next person sees an unconfigured device.

3. Not writing the new password to startup-config. enable secret only changes running-config. copy running-config startup-config makes it persist across reboots.

4. Wrong break key. PuTTY: Ctrl-Break. macOS Terminal/iTerm: Ctrl-A then Ctrl-B, or send a BREAK signal via the menu. Linux screen: Ctrl-A then Ctrl-B. Look up your terminal’s BREAK key beforehand.

5. Trying password recovery remotely. You can’t. Console + physical access is required.

6. Using no service password-recovery without an offline config backup. If you ever forget the password, you have to factory-reset and rebuild. Backup the config first.

Real-world scenario

You’re a new hire at a hospital network team. The previous network engineer left abruptly. There’s an old 2911 router in a wiring closet that no one has the password for, but it’s running OSPF and the radiology VLAN is depending on it.

Wrong move: factory-reset it. Radiology goes down.

Right move: schedule a maintenance window, console in, password-recover. The OSPF config and interfaces stay intact because you copy startup-config → running-config before reloading. You change the enable secret to something documented in your password vault.

This is exactly the scenario this procedure is designed for.

Lab to try tonight

1. In CML or Packet Tracer, build a router with an OSPF config and an enable secret SecretPassword!.
2. write memory, then reload.
3. As it boots, hit Ctrl-Break to enter ROMMON.
4. confreg 0x2142, reset.
5. Verify the router comes up with empty config. Type enable — no password asked.
6. show startup-config — your old config is still there.
7. copy startup-config running-config — old config comes back live.
8. configure terminal → enable secret NewSecret! → config-register 0x2102 → end → write memory → reload.
9. Login with the new password. Confirm OSPF + interfaces survived.
10. Bonus: enable no service password-recovery. Reboot. Try the ROMMON trick — see the device refuse to bypass startup-config.

Cheat strip

Concept	Plain English
Config register	16-bit value in NVRAM controlling boot behavior
0x2102	Default — normal boot
0x2142	Boot but skip startup-config (password recovery)
ROMMON	The bootloader. rommon> prompt. Reached via Ctrl-Break during boot
confreg 0x2142 in ROMMON	Set register for password recovery
config-register 0x2102 in IOS	Set register from configure mode
Copy startup → running	Critical step — restores original config before you change password
Switch recovery	Mode button + power, then rename config.text instead of using confreg
no service password-recovery	Disables this — but locks you out if you ever lose the password
Why it matters	Physical console = root access by design. Lock your wiring closets.