When you configure passwords on a Cisco router or switch, those passwords are stored in plaintext by default in the running configuration. Anyone who can view the configuration (e.g., via show running-config, backup files, or SNMP) can see the passwords. The 'service password-encryption' command provides a weak, reversible encryption (Type 7) to obscure passwords from casual viewing. For the CCNA 200-301 exam (Objective 4.7), you must understand what this command does, its limitations, and how it differs from stronger, irreversible encryption methods like Type 5 (MD5) and Type 9 (SCRYPT). This topic is essential because real-world network devices are often compromised via unencrypted passwords in configuration files.
Jump to a section
Imagine you are the head chef in a busy restaurant. You have a whiteboard in the kitchen where you write down the secret recipes for each dish. The recipes include passwords to the supplier ordering system. By default, you write the passwords in plain English (plaintext). Any line cook, dishwasher, or delivery person can walk past and read the passwords. To protect them, you decide to 'encrypt' the passwords by writing them in a simple substitution cipher: replace each letter with the next letter in the alphabet (e.g., 'A' becomes 'B', 'B' becomes 'C'). This is easy to do and easy to reverse. That's exactly what Cisco's 'service password-encryption' does — it applies a simple Vigenère cipher (Type 7) that can be reversed by anyone who knows the algorithm. A determined person with a free online tool can decrypt Type 7 passwords in seconds. The encryption is only meant to prevent casual shoulder-surfing, not a determined attacker. For true security, you would use a cryptographic hash (like MD5 or SCRYPT) that is mathematically irreversible — like burning the recipe after memorizing the ingredients. The 'enable secret' command uses such a hash. The analogy teaches that 'service password-encryption' is a low-effort obfuscation, not real security, and that stronger methods exist for serious protection.
What is Service Password Encryption?
Cisco IOS stores passwords in the running configuration in plaintext by default. This includes line passwords (console, vty, aux), enable passwords, and username passwords. The service password-encryption global configuration command instructs the router to encrypt all current and future passwords in the configuration using a weak, reversible algorithm known as Type 7 encryption. The encryption is applied when the configuration is written (e.g., write memory or copy running-config startup-config).
Why Does It Exist?
Historically, the primary purpose was to prevent casual viewing of passwords by someone looking over your shoulder or quickly glancing at a printed configuration. It is not intended to provide strong security against a determined attacker. Cisco recommends using stronger encryption methods like Type 5 (MD5) for enable passwords and Type 9 (SCRYPT) for username passwords. However, many legacy devices still rely on Type 7. The CCNA exam expects you to know that Type 7 is easily reversible and should not be used for security-sensitive environments.
How Type 7 Encryption Works
Type 7 encryption uses a simple Vigenère cipher with a known key. The algorithm takes the plaintext password, XORs it with a repeating key string, and then converts the result to hexadecimal. The encrypted string begins with a two-digit number (e.g., 07) that indicates the offset into the key string. For example, the password "cisco" might become "070C285F4D06" (the "07" is the offset). Because the key is publicly known (e.g., "dsfd;kfoA,.iyewrkldJKD"), anyone can decrypt Type 7 passwords. There are many free online tools and even built-in Cisco IOS commands (key chain decryption) that can reverse Type 7.
IOS CLI Configuration
To enable service password encryption, enter global configuration mode and issue the command:
Router(config)# service password-encryptionThis command does not immediately encrypt passwords in the running configuration; it only encrypts them when the configuration is saved or when you view it with show running-config. To force immediate encryption, you can enter service password-encryption and then no service password-encryption — the act of toggling the command encrypts existing passwords. However, the recommended practice is to leave it enabled.
Router(config)# service password-encryption
Router(config)# exit
Router# show running-config | include password
enable password 7 0822455D0A16
line vty 0 4
password 7 121A0C041104Notice the '7' in the output — that indicates Type 7 encryption. If you see '5', that's MD5 (enable secret), and '9' is SCRYPT.
Verification Commands
show running-config | include password – displays all password lines with their encrypted form.
show running-config | section line – shows the line configuration block, including encrypted passwords.
more nvram:startup-config – shows the startup configuration; passwords will be encrypted if service password-encryption was enabled before saving.
Interaction with Other Features
Enable Password vs. Enable Secret: The enable password command uses Type 7 encryption when service password-encryption is enabled. The enable secret command uses Type 5 (MD5) by default and is not affected by service password-encryption because it is already hashed. Cisco recommends using enable secret instead of enable password.
Username Passwords: Username passwords configured with username <name> password <password> are encrypted with Type 7 if service password-encryption is enabled. For stronger encryption, use username <name> secret <password> which uses Type 5 or Type 9 depending on the IOS version.
SNMP Community Strings: These are also encrypted with Type 7 if the service is enabled.
Limitations and Security Implications
Type 7 encryption is reversible. Anyone with access to the configuration file can decrypt passwords using free tools.
It does not protect against someone with privileged EXEC access who can issue more nvram:startup-config or show running-config.
It does not encrypt the password in transit (e.g., during Telnet or SSH session). That requires other protocols like SSH or encryption of the management traffic.
The command only affects passwords configured after it is enabled; existing passwords remain in their original form until the configuration is saved or the command is toggled.
Default Behavior
By default, service password-encryption is disabled. All passwords are stored in plaintext. When you enable it, the router applies encryption. You can verify the status with:
Router# show running-config | include service password-encryption
service password-encryptionIf the line is missing, it is disabled.
Exam Tip
The CCNA exam will test your understanding that Type 7 is weak and reversible, and that enable secret (Type 5) is preferred. You may be asked to identify the encryption type from a configuration snippet (look for the number after 'password' or 'secret': 0 = plaintext, 7 = Type 7, 5 = MD5, 9 = SCRYPT).
Enable service password-encryption
Enter global configuration mode with `configure terminal`. Issue the command `service password-encryption`. This enables the encryption feature. The command does not immediately encrypt existing passwords in the running configuration; it only affects passwords that are configured or displayed after this point. However, if you toggle the command off and on, it forces encryption of existing passwords. To see the effect, you must view the running configuration with `show running-config`. You will notice that plaintext passwords become encrypted with a '7' prefix.
Configure a line password
For example, configure a password on the console line: `line console 0`, then `password cisco`, then `login`. After enabling `service password-encryption`, the password 'cisco' will appear as something like `password 7 0822455D0A16` in the running configuration. The '7' indicates Type 7 encryption. If you had configured the password before enabling encryption, it would remain in plaintext until you save the configuration or toggle the service. Always verify with `show running-config | section line con`.
Configure enable password
Use `enable password cisco` in global config mode. After `service password-encryption` is enabled, this will be stored as Type 7. However, Cisco strongly recommends using `enable secret` instead, which uses MD5 (Type 5). For example: `enable secret cisco`. The `enable secret` command is not affected by `service password-encryption` because it already uses a hash. Note that if both `enable password` and `enable secret` are configured, the `enable secret` takes precedence.
Configure username with password
For local authentication, use `username admin password cisco`. With `service password-encryption` enabled, this password becomes Type 7. For better security, use `username admin secret cisco` which stores a hash (Type 5 or Type 9). To verify, use `show running-config | include username`. The output will show either 'password 7 ...' or 'secret 5 ...' depending on which command you used.
Verify encryption type
Use `show running-config | include password` to see all passwords in the configuration. Look for the number immediately after 'password' or 'secret': 0 = plaintext, 7 = Type 7, 5 = MD5, 9 = SCRYPT. For example: `enable secret 5 $1$abcdefg$` indicates MD5. Also use `show running-config | include service` to confirm that `service password-encryption` is enabled. If it is missing, encryption is off.
Test the encryption strength
Copy a Type 7 encrypted password from the running config and paste it into an online Type 7 decryptor (or use a known Cisco tool). You will see the original plaintext password. This demonstrates that Type 7 is not secure. For exam purposes, remember that Type 7 should never be used in production for security-critical passwords. Use `enable secret` and `username secret` instead.
In enterprise networks, network engineers often use service password-encryption as a basic compliance measure to prevent passwords from being visible in plaintext in configuration backups or screen captures. For example, a company might have a policy that all device configurations must not contain plaintext passwords. The engineer enables service password-encryption on all routers and switches to meet this requirement. However, a security audit later reveals that the passwords are still easily decrypted. The engineer then upgrades to using enable secret and username secret commands, which use MD5 or SCRYPT hashes. Another common scenario is during network automation: scripts that pull configurations from devices and store them in a central repository may expose passwords. Using Type 7 provides a false sense of security. A best practice is to use AAA (RADIUS/TACACS+) for authentication and avoid local passwords altogether. However, for console and auxiliary access in lab or management networks, Type 7 is still widely used. If service password-encryption is misconfigured (e.g., not enabled), passwords are stored in plaintext, which could lead to unauthorized access if the configuration file is leaked. Also, if an engineer configures enable password instead of enable secret, the password is vulnerable even with encryption. The scale of deployment can be thousands of devices; enabling service password-encryption is a quick global command, but it must be combined with strong password hashing for real security. Performance impact is negligible. The key takeaway: use service password-encryption as a minimal step, but always pair it with enable secret and username secret for production networks.
On the CCNA 200-301 exam (Objective 4.7), you will be tested on the following aspects of service password encryption:
1. What the command does: It encrypts passwords using Type 7 (Vigenère cipher) in the configuration file. It does not encrypt passwords in transit or provide strong security.
2. Difference between Type 7 and Type 5/9: Type 7 is reversible; Type 5 (MD5) and Type 9 (SCRYPT) are one-way hashes. The exam will show configuration snippets with '7', '5', or '0' and ask you to identify the encryption type or security level.
3. Enable password vs. enable secret: Know that enable secret uses Type 5 (MD5) and is preferred. enable password uses Type 7 (if service password-encryption is enabled) or plaintext.
4. Common wrong answers:
- "Service password-encryption provides strong security" – FALSE; it is weak.
- "It encrypts all passwords including enable secret" – FALSE; enable secret is already hashed.
- "It encrypts passwords in transit" – FALSE; it only encrypts in the configuration file.
- "It is enabled by default" – FALSE; it is disabled by default.
5. Exam traps:
- If you see password 7 0822455D0A16, the original password is 'cisco' (common decrypt practice).
- If a question asks which method is most secure for enable password, the answer is enable secret (not enable password with service password-encryption).
- A scenario question might describe an engineer who sees plaintext passwords in the running config after enabling service password-encryption. The reason is that the configuration was not saved/toggled, or the passwords were configured before enabling the service.
6. Decision rule: For any question about password security on Cisco devices, choose the option that uses secret (enable secret or username secret) over password. If the question specifically asks about encryption in the configuration file, service password-encryption is the relevant command.
`service password-encryption` uses Type 7 encryption (Vigenère cipher) which is reversible and weak.
Type 7 passwords are identified by a '7' after the password keyword in the running config.
`enable secret` uses Type 5 (MD5) or Type 9 (SCRYPT) and is not affected by `service password-encryption`.
By default, `service password-encryption` is disabled; passwords are stored in plaintext.
Toggling `service password-encryption` on and off forces immediate encryption of existing passwords.
The command only encrypts passwords in the configuration file, not in transit or in memory.
For CCNA, remember that Type 7 is easily decrypted and should not be relied upon for security.
These come up on the exam all the time. Here's how to tell them apart.
Type 7 (service password-encryption)
Reversible Vigenère cipher
Weak security; decrypted in seconds
Used with `password` keyword
Affected by `service password-encryption` command
Identified by '7' in config
Type 5/9 (enable secret / username secret)
One-way hash (MD5 or SCRYPT)
Strong security; computationally infeasible to reverse
Used with `secret` keyword
Not affected by `service password-encryption`
Identified by '5' (MD5) or '9' (SCRYPT) in config
Mistake
Service password-encryption provides strong encryption that cannot be reversed.
Correct
Type 7 encryption is a weak, reversible cipher. Free tools can decrypt it instantly.
Many candidates assume 'encryption' means strong, but Cisco's Type 7 is designed only for casual obfuscation.
Mistake
Enabling service password-encryption encrypts all passwords, including enable secret.
Correct
`enable secret` uses a one-way hash (Type 5/9) and is not affected by `service password-encryption`. The command only affects passwords stored with the `password` keyword.
Candidates often think encryption applies universally, but `secret` commands use separate, stronger algorithms.
Mistake
Service password-encryption encrypts passwords during Telnet or SSH sessions.
Correct
The command only encrypts passwords in the configuration file. For transit encryption, use SSH or IPsec.
The word 'encryption' leads to confusion between data-at-rest and data-in-transit.
Mistake
Service password-encryption is enabled by default on Cisco devices.
Correct
It is disabled by default. The running config will show no `service password-encryption` line unless explicitly configured.
Many assume security features are on by default, but Cisco prioritizes backward compatibility.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. The command only encrypts passwords stored in the configuration file (running or startup). It does not affect the transmission of passwords during Telnet, SSH, or other protocols. For transit encryption, use SSH or IPsec.
Type 7 is a reversible cipher (Vigenère) used by `service password-encryption`. It is weak and can be decrypted easily. Type 5 is an MD5 hash used by `enable secret` and `username secret`. It is one-way and considered secure for password storage. Type 9 is SCRYPT, even stronger.
You can use online tools or the Cisco IOS command `key chain` decryption (though not commonly used). Simply copy the encrypted string (e.g., `0822455D0A16`) into a Type 7 decryption tool to get the plaintext. This demonstrates why Type 7 is not secure.
Not immediately. The command only encrypts passwords configured after it is enabled. To encrypt existing passwords, you must either toggle the command off and on (which forces re-encryption) or save the configuration (which writes the encrypted version to startup config).
Always use `enable secret` for security. It uses a one-way hash (MD5 or SCRYPT). `enable password` uses Type 7 (if service password-encryption is enabled) or plaintext, both of which are insecure. On the exam, choose `enable secret` whenever possible.
The '7' indicates that the password is encrypted using Type 7 encryption. Other numbers: '0' means plaintext, '5' means MD5 hash, and '9' means SCRYPT hash. This is a common exam question.
No, it is disabled by default. You must explicitly configure it. Many candidates mistakenly think it is on by default because it is a common security practice, but Cisco leaves it off for backward compatibility.
You've just covered Service Password Encryption — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?