Details
When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
Rationale:
This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration. When not enabled, many of the device’s passwords will be rendered in plain text in the configuration file. This service ensures passwords are rendered as encrypted strings preventing an attacker from easily determining the configured value.
Impact:
Organizations implementing ‘service password-encryption’ reduce the risk of unauthorized users learning clear text passwords to Cisco IOS configuration files. However, the algorithm used is not designed to withstand serious analysis and should be treated like clear-text.
Solution
Enable password encryption service to protect sensitive access passwords in the device configuration.
hostname(config)#service password-encryption
Default Value:
Service password encryption is not set by default
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.