Quiz Entry - updated: 2026.07.05
How do you encrypt all plaintext passwords in the configuration file?
The service password-encryption global command encrypts all current and future plaintext passwords in the config (though only as weak Type 7).
Switch(config)# service password-encryption
By default the startup-config and running-config files store most passwords in plaintext, so anyone who can view the configuration (over the shoulder, in a backup, in a screenshot) reads them directly. The single global command service password-encryption fixes this in one step: it scrambles all passwords currently in the config and any added afterwards, so they appear as encrypted strings instead of clear text.
What each part does / gotchas:
service password-encryption— turns on automatic encryption of plaintext passwords device-wideshow running-config— run it afterwards to confirm the passwords now show as encrypted strings rather than the words you typed- Big caveat: this is only Type 7 encryption, which is trivially reversible — it stops shoulder-surfing, not a real attacker. For the privileged-EXEC password use
enable secret, which stores a proper one-way hash (Type 5/MD5 on classic IOS).
Go deeper:
Cisco IOS (Wikipedia) — the password-type landscape (Type 7 vs. the hashed Type 5/8/9 secrets).