Courseiva
SecurityGlobal Config

service password-encryption

Encrypts all plaintext passwords in the running configuration to prevent unauthorized viewing of password data.

Syntax·Global Config
service password-encryption

When to Use This Command

  • Enable password encryption on a router to protect enable secret and line passwords from being read in clear text in configuration files.
  • Apply encryption to all user passwords configured on the device, such as those for console, VTY, and auxiliary lines.
  • Use as a security best practice when deploying routers in production environments to comply with security policies.
  • Enable before saving configuration to ensure passwords are stored encrypted in startup-config.

Command Examples

Enable password encryption globally

service password-encryption
Router(config)# service password-encryption
Router(config)#

The command is entered in global configuration mode. No output is displayed upon successful execution. After this, all existing and new passwords in the running config will be encrypted using a weak Cisco proprietary algorithm (Type 7).

Verify encryption in running configuration

show running-config | include password
enable password 7 0822455D0A16
line con 0
 password 7 0822455D0A16
line vty 0 4
 password 7 0822455D0A16

The 'show running-config' output filtered for 'password' shows that passwords are now displayed as encrypted strings (Type 7). The '7' indicates the encryption type. Previously, these would have been shown in plaintext.

Understanding the Output

The command itself produces no output. Its effect is seen when viewing the running configuration. Passwords that were previously in plaintext (e.g., 'enable password cisco') become encrypted strings like '7 0822455D0A16'. The '7' indicates Type 7 encryption, which is a weak, reversible encryption. This prevents casual viewing but is not secure against determined attackers. To verify, use 'show running-config' and look for 'password 7 ...' entries. If you see 'password 0 ...', encryption is not enabled. Note that 'enable secret' uses stronger MD5 hashing (Type 5) and is not affected by this command.

CCNA Exam Tips

1.

Remember that 'service password-encryption' uses Type 7 encryption, which is weak and reversible; it does not protect against sophisticated attacks.

2.

The command does not encrypt the 'enable secret' password; that uses a separate, stronger MD5 hash (Type 5).

3.

On the CCNA exam, know that this command encrypts all passwords in the configuration file except 'enable secret'.

4.

Be aware that encryption is applied only after the command is entered; existing passwords are encrypted immediately, and new passwords will be encrypted automatically.

Common Mistakes

Mistake 1: Assuming 'service password-encryption' provides strong security; it only prevents casual viewing, not cracking.

Mistake 2: Forgetting to issue the command before saving the configuration, resulting in plaintext passwords in startup-config.

Mistake 3: Confusing this command with 'enable secret', which uses a different, stronger encryption method.

Related Commands

enable secret [password]

Sets an encrypted password for privileged EXEC access, replacing the less secure 'enable password' command.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions