LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How do you encrypt all plaintext passwords in the configuration file?

The service password-encryption global command encrypts all current and future plaintext passwords in the config (though only as weak Type 7).

Switch(config)# service password-encryption

By default the startup-config and running-config files store most passwords in plaintext, so anyone who can view the configuration (over the shoulder, in a backup, in a screenshot) reads them directly. The single global command service password-encryption fixes this in one step: it scrambles all passwords currently in the config and any added afterwards, so they appear as encrypted strings instead of clear text.

What each part does / gotchas:

  • service password-encryption — turns on automatic encryption of plaintext passwords device-wide
  • show running-config — run it afterwards to confirm the passwords now show as encrypted strings rather than the words you typed
  • Big caveat: this is only Type 7 encryption, which is trivially reversible — it stops shoulder-surfing, not a real attacker. For the privileged-EXEC password use enable secret, which stores a proper one-way hash (Type 5/MD5 on classic IOS).

Go deeper:

From Quiz: NETW1 / Basic Switch and End Device Configuration | Updated: Jul 05, 2026