SecurityCCNA 200-301

Passwords Visible in show running-config in Clear Text

Presenting Symptom

When viewing the running configuration, passwords for line console, line vty, and enable secret appear in clear text instead of being encrypted.

Network Context

A small branch office network with a single Cisco ISR 4321 router running IOS XE 16.9. The router is configured for remote SSH access and local authentication. The network engineer notices that 'show running-config' displays passwords like 'cisco123' in plain text, which is a security violation.

Diagnostic Steps

Check running configuration for password visibility

show running-config | include password

line con 0
 password cisco123
line vty 0 4
 password cisco123
enable password cisco123
enable secret 5 $1$abcdef$xxxxx

If passwords appear in clear text (e.g., 'password cisco123'), encryption is not applied. The 'enable secret' line shows a hash (type 5) but other passwords are clear. Normal output should show type 7 encryption (e.g., 'password 7 0822455D0A16') or type 5 for enable secret.

Verify if service password-encryption is enabled

show running-config | include service password-encryption

no service password-encryption

If the output shows 'no service password-encryption', the global encryption service is disabled. This is the root cause. If it shows 'service password-encryption', then passwords should be encrypted (type 7) but may still be weak.

Check enable secret configuration

show running-config | include enable

enable password cisco123
enable secret 5 $1$abcdef$xxxxx

The 'enable password' command sets a clear-text password, while 'enable secret' uses MD5 hash (type 5). If both are present, the 'enable secret' takes precedence. However, the clear-text 'enable password' is still visible and should be removed.

Verify line configuration for encryption

show running-config | section line

line con 0
 password cisco123
line vty 0 4
 password cisco123
 transport input ssh

Line passwords are in clear text. After enabling encryption, they should appear as 'password 7 <encrypted>'. Also check if 'login local' is used instead of 'password' for better security.

Root Cause

The global configuration command 'service password-encryption' is not enabled, causing all passwords (except enable secret which uses MD5) to be stored and displayed in clear text. Additionally, the 'enable password' command is used instead of 'enable secret', leaving a clear-text enable password visible.

Resolution

1. Enter global configuration mode: configure terminal 2. Enable password encryption: service password-encryption 3. Replace enable password with enable secret: enable secret <new-password> 4. Remove the clear-text enable password: no enable password 5. Re-enter line passwords (they will be encrypted automatically): line con 0, password <new-password>, line vty 0 4, password <new-password> 6. Exit and save: end, write memory

Verification

Run 'show running-config | include password' and 'show running-config | include enable'. Expected output: 'service password-encryption' present, line passwords show as 'password 7 <encrypted>', enable secret shows as 'enable secret 5 <hash>', and no 'enable password' line.

Prevention

1. Always enable 'service password-encryption' as a standard global configuration on all devices. 2. Use 'enable secret' instead of 'enable password' for privileged access. 3. Implement AAA with local database or RADIUS/TACACS+ to avoid storing passwords in device configuration.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a multiple-choice question asking which command encrypts passwords in the running configuration, or a troubleshooting drag-and-drop where you must identify that 'service password-encryption' is missing. The exam tests understanding that type 7 encryption is weak and reversible, while type 5 (MD5) is stronger. Candidates must know that 'service password-encryption' encrypts all passwords except 'enable secret'.

Exam Tips

Remember that 'service password-encryption' uses Cisco's proprietary type 7 encryption, which is easily reversible and not considered secure for production.

The 'enable secret' command uses MD5 hashing (type 5) and is always preferred over 'enable password'.

Know that 'show running-config' displays type 7 encrypted passwords as 'password 7 <string>' and type 5 as 'secret 5 <hash>'.

Commands Used in This Scenario

enable secret [password]

Sets an encrypted password for privileged EXEC access, replacing the less secure 'enable password' command.

service password-encryption

Encrypts all plaintext passwords in the running configuration to prevent unauthorized viewing of password data.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions