Imagine storing the keys to your entire network in a glass box. That's essentially what happens when you configure passwords on Cisco IOS devices without understanding the different password types. The CCNA 200-301 exam objective 5.1 expects you to not only know how to set passwords but also to recognize the security implications of each type. This chapter will dissect Cisco IOS password types—from plaintext to secret hashes—so you can protect your network and ace the exam.
Jump to a section
Think of a medieval castle with multiple gates. The outer gate is guarded by a simple wooden lock—easy to pick, but it's only for visitors. The inner keep has a complex iron lock with a unique key. The treasury has a combination lock that only the lord knows. Now, imagine the castle steward writes down all keys and combinations on a piece of parchment and posts it on the wall. That's like storing passwords in plaintext. Worse, if the parchment is written in invisible ink that becomes visible when heated, that's like using a weak encryption that can be easily reversed. Cisco IOS password types are like different lock mechanisms. Type 0 is the wooden lock—plaintext, no security. Type 7 is like writing the key in a simple code that anyone with a decoder ring can read—it's obfuscation, not encryption. Type 5 is a stronger lock using MD5 hashing—like a combination that can't be reversed, but if the same combination is used everywhere, it's vulnerable to rainbow tables. Type 8 and Type 9 are modern, salted hashes—like a combination that changes each time based on a secret salt, making precomputed attacks useless. Finally, Type 4 was a failed experiment—like a lock that shatters if you try to pick it, but also falls apart on its own. Understanding these types helps you choose the right lock for each gate.
What Are Cisco IOS Password Types?
Cisco IOS password types refer to the format in which passwords are stored in the device configuration. When you configure a password (e.g., for console, VTY, enable, or user authentication), the IOS stores it in NVRAM as part of the startup configuration. The type determines how the password is represented: plaintext, weakly encrypted, or strongly hashed. The CCNA exam tests your ability to identify these types, their security implications, and the correct commands to configure them.
Why Password Types Matter
If an attacker gains access to a Cisco device's configuration file (e.g., via SNMP, TFTP, or a backup), they can immediately see plaintext passwords. Type 7 passwords can be decrypted with freely available tools. Type 5 hashes can be cracked with rainbow tables if the password is weak. Type 8 and Type 9 provide strong protection against offline attacks. The exam expects you to know which types are secure and which are not.
The Password Types at a Glance
Type 0: Plaintext. The password is stored exactly as entered. Anyone who can view the configuration can read it. Used for simple passwords like line passwords. Example: password cisco.
Type 7: Weakly encrypted using a Vigenère cipher with a fixed key. It is reversible—tools like ios7decrypt can recover the original password instantly. Example: password 7 0822455D0A16.
Type 4: SHA-256 hash without salt. Introduced in some IOS versions but deprecated due to vulnerabilities. Not recommended.
Type 5: MD5 hash with a salt (though the salt is not stored separately). More secure than Type 7 but vulnerable to brute-force if the password is weak. Example: enable secret 5 $1$abc$....
Type 8: PBKDF2 with SHA-256. Uses a salt and many iterations. Strong and recommended for new deployments.
Type 9: Scrypt. Similar to Type 8 but uses a memory-hard function, making it even more resistant to GPU-based attacks. The strongest option.
How Passwords Are Stored and Verified
When you configure a password, the IOS stores it in the running configuration. For Type 0 and Type 7, the original password can be recovered. For Type 5, 8, and 9, only the hash is stored. When a user authenticates, the IOS takes the entered password, hashes it (using the same algorithm and salt), and compares it to the stored hash. If they match, access is granted.
Configuration Commands
To set an enable password (legacy, Type 0):
R1(config)# enable password ciscoTo set an enable secret (Type 5 by default on older IOS, Type 8/9 on newer):
R1(config)# enable secret MySecretPasswordTo set a line password (Type 0 or 7):
R1(config-line)# password cisco
R1(config-line)# password 7 0822455D0A16To configure the type for enable secret explicitly:
R1(config)# enable algorithm-type scrypt secret MySecretPassword
R1(config)# enable algorithm-type sha256 secret MySecretPasswordVerification Commands
To view the password type in the configuration:
R1# show running-config | include passwordExample output:
enable secret 9 $9$abc123def456...
line vty 0 4
password 7 0822455D0A16To see the enable password hash:
R1# show running-config | include enableSecurity Best Practices
Never use Type 0 or Type 7 for any password that protects privileged access.
Use enable secret instead of enable password.
On modern IOS, use enable algorithm-type scrypt secret for the strongest protection.
For local user accounts, use username NAME algorithm-type scrypt secret PASSWORD.
Avoid using the same password on multiple devices.
Interaction with Other Features
Password types interact with AAA (Authentication, Authorization, and Accounting). When using local authentication, the password type determines how the password is stored in the local database. When using RADIUS or TACACS+, the password is sent to the server, and the local type is irrelevant. However, the enable secret is still used for fallback authentication.
Exam Focus
The CCNA exam will ask you to identify the most secure password type, recognize that Type 7 is reversible, and know that enable secret creates a Type 5 hash by default on older IOS. You may see a configuration snippet and be asked which password type is used. Also, know that Type 4 is deprecated and Type 9 is the strongest.
Identify password types in config
To determine which password types are in use, examine the running configuration. Use `show running-config | include password` or `show running-config | section line`. Look for the number after the keyword `password` or `secret`. For example, `password 7 0822455D0A16` indicates Type 7. `enable secret 5 $1$...` is Type 5. `enable secret 9 $9$...` is Type 9. If no number is present, it's Type 0 (plaintext). This step is crucial for security audits and exam scenarios where you must identify weak passwords.
Configure enable secret with strong hash
To secure privileged EXEC access, always use `enable secret` instead of `enable password`. On modern IOS (15.x and later), you can specify the algorithm. For the strongest protection, use `enable algorithm-type scrypt secret <password>`. This creates a Type 9 hash. If you just type `enable secret <password>`, the IOS uses the default algorithm (usually Type 5 on older IOS, Type 8/9 on newer). Verify with `show running-config | include enable secret`.
Configure local user with strong hash
For local user authentication (e.g., for SSH), use the `username` command with an algorithm. Example: `username admin algorithm-type scrypt secret AdminPass123`. This stores the password as a Type 9 hash. Without the algorithm, it defaults to Type 0 or Type 7 depending on the IOS version. Avoid that. Verify with `show running-config | include username`.
Convert existing weak passwords
If you have a device with `enable password` or `enable secret` using a weak type, you can change it by re-entering the command with the desired algorithm. For example, to change from Type 5 to Type 9: `enable algorithm-type scrypt secret NewPassword`. The old hash is overwritten. There is no direct conversion; you must set a new password. For line passwords (e.g., VTY), you can use `password` with Type 7, but better to use local authentication with strong hashes.
Verify password strength via show commands
Use `show running-config` to see the actual hash. For example, `enable secret 9 $9$abcdef...`. You can also check the security posture using `show security passwords` if available (not on all IOS). The key is to ensure no Type 0 or Type 7 passwords protect privileged access. Also, check for `enable password` (Type 0) and remove it: `no enable password`.
Test authentication with new passwords
After changing passwords, test by logging out and re-authenticating. For enable secret, enter privileged EXEC with `enable` and supply the password. For local users, test via SSH or console. If you misconfigure the algorithm, you might lock yourself out. Always have an alternative access method (e.g., console with no password) during changes. On exam, remember that Type 9 is not supported on very old IOS.
In a real enterprise network, password types are a critical part of device hardening. Consider a scenario where a network engineer is deploying 100 new switches. They create a standard configuration template that includes enable secret cisco—a Type 5 hash. However, the security policy requires Type 9. If they forget to specify the algorithm, the devices will use the default, which might be Type 5 on older IOS. An auditor later discovers this and flags it as a finding. The engineer must then change the password on every device, which is time-consuming. Best practice is to use a configuration management tool that enforces the algorithm.
Another scenario: An attacker gains access to a backup of the startup configuration via an unsecured TFTP server. The config contains enable password 7 0822455D0A16. Using a free online tool, the attacker decrypts it in seconds to 'cisco'. They now have full control. This is why Type 7 should never be used for enable passwords.
A third scenario: A company uses RADIUS for AAA, but the enable secret is still used for local fallback if the RADIUS server is unreachable. The engineer sets enable algorithm-type scrypt secret VeryStrongPassword. This ensures that even if the config is stolen, the password cannot be easily cracked. The engineer also uses service password-encryption to encrypt Type 0 passwords (converting them to Type 7), but they know this is not a real security measure—it only protects against casual observers. In production, they rely on Type 8 or 9 for all secrets.
Scale and performance: Hashing algorithms like scrypt are computationally intensive. On low-end routers, repeated authentication (e.g., many SSH sessions) might cause CPU spikes. However, for normal operations, the impact is negligible. Misconfiguration: If you set enable secret without specifying the algorithm on a device that defaults to Type 5, and later the device is upgraded to a newer IOS that defaults to Type 8, the existing Type 5 hash remains unchanged. You must explicitly change it.
The CCNA 200-301 exam objective 5.1 (Configure and verify device access control) includes password types as a subtopic. Expect questions that test your ability to identify the most secure password type, recognize the weakness of Type 7, and know the correct commands.
Common wrong answers: 1. 'Type 7 is encrypted and secure.' Wrong—Type 7 is reversible. Candidates often confuse 'encrypted' with 'hashed'. Type 7 is obfuscated, not encrypted in a secure sense. 2. 'enable password is more secure than enable secret.' Wrong—enable password is Type 0 (plaintext) by default. enable secret uses a hash. 3. 'Type 4 is the strongest.' Wrong—Type 4 is deprecated and considered weak. Type 9 is strongest. 4. 'service password-encryption encrypts enable secret.' Wrong—it only affects Type 0 passwords, converting them to Type 7. It does not change the hash type of enable secret.
Specific values: - Type 0: plaintext - Type 7: weak encryption (Vigenère) - Type 5: MD5 hash (salt) - Type 8: PBKDF2 with SHA-256 - Type 9: scrypt
Commands to know:
- enable secret <password> (default Type 5 on older IOS)
- enable algorithm-type scrypt secret <password> (Type 9)
- enable algorithm-type sha256 secret <password> (Type 8)
- service password-encryption (converts Type 0 to Type 7)
Elimination strategy: If a question asks which password type is most secure, eliminate Type 0 and Type 7 first. Then, between Type 5, 8, and 9, know that Type 9 is strongest. If the question mentions 'reversible', it's Type 7. If it mentions 'plaintext', it's Type 0. If it mentions 'MD5', it's Type 5.
Scenario: A network admin sees enable secret 7 12345678 in the config. What is wrong? Answer: Type 7 is not used for enable secret; enable secret uses Type 5/8/9. The admin likely used service password-encryption after enable password, which converted it to Type 7, but they should have used enable secret.
Type 0 stores passwords in plaintext; never use it for privileged access.
Type 7 uses a reversible Vigenère cipher; it is not secure.
Type 5 is an MD5 hash with salt; better but vulnerable to brute-force.
Type 8 uses PBKDF2 with SHA-256; Type 9 uses scrypt (strongest).
Use `enable algorithm-type scrypt secret <password>` for Type 9.
`service password-encryption` only affects Type 0 passwords, converting them to Type 7.
Always use `enable secret` instead of `enable password`.
These come up on the exam all the time. Here's how to tell them apart.
Type 5 (MD5)
Uses MD5 hash with salt
Faster to compute
Vulnerable to GPU brute-force
Default on older IOS
Less secure
Type 9 (scrypt)
Uses scrypt memory-hard function
Slower, more CPU/memory intensive
Resistant to GPU attacks
Requires newer IOS (15.x+)
Most secure
Mistake
Type 7 passwords are encrypted and secure.
Correct
Type 7 uses a weak, reversible cipher. Free tools can decrypt them instantly.
Candidates see the garbled text and assume it's encrypted like modern algorithms.
Mistake
`enable password` is the same as `enable secret`.
Correct
`enable password` stores the password in plaintext (Type 0); `enable secret` stores a hash (Type 5/8/9).
Both commands set the enable password, but they use different storage methods.
Mistake
`service password-encryption` secures all passwords.
Correct
It only converts Type 0 to Type 7; it does not affect Type 5/8/9 hashes.
The name 'encryption' suggests strong security, but it's just obfuscation.
Mistake
Type 4 is the strongest password type.
Correct
Type 4 (SHA-256 without salt) is deprecated and considered weak; Type 9 is strongest.
Type 4 was introduced as an improvement but was found to have vulnerabilities.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
`enable password` stores the password in plaintext (Type 0) unless `service password-encryption` is applied, which converts it to Type 7 (weak). `enable secret` stores a hashed version (Type 5, 8, or 9). Always use `enable secret` for security. On the exam, remember that `enable secret` overrides `enable password` if both are configured.
Yes, easily. Type 7 uses a simple Vigenère cipher with a fixed key. Many online tools and scripts can decrypt Type 7 passwords instantly. Therefore, Type 7 should never be used for any password that protects access to the device.
Type 9 (scrypt) is the strongest as of modern IOS versions. It uses a memory-hard function that makes brute-force attacks impractical. Type 8 (PBKDF2 with SHA-256) is also strong. On the exam, if asked for the most secure, choose Type 9.
No. It only affects passwords stored as Type 0 (plaintext), converting them to Type 7. Enable secret hashes (Type 5, 8, 9) are already hashed and are not modified by this command.
Use the `username` command with an algorithm. Example: `username admin algorithm-type scrypt secret StrongPassword`. This stores the password as a Type 9 hash. Without the algorithm, it may default to Type 0 or Type 7, which are insecure.
Type 4 uses SHA-256 without a salt. It was introduced as an improvement over Type 5 but was found to be vulnerable to precomputation attacks because the same password always produces the same hash. Cisco deprecated it in favor of Type 8 and Type 9.
No. You must set a new password. The hash is one-way; you cannot rehash the same password to a different algorithm without knowing the original plaintext. You can set the same password again with the new algorithm, but it will be re-entered.
You've just covered Cisco IOS Password Types — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?