1.4.2 Enable 'service password-encryption'

Information

When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.

Rationale:

This requires passwords to be encrypted in the configuration file to prevent unauthorized users from learning the passwords just by reading the configuration. When not enabled, many of the device's passwords will be rendered in plain text in the configuration file. This service ensures passwords are rendered as encrypted strings preventing an attacker from easily determining the configured value.

Impact:

Organizations implementing 'service password-encryption' reduce the risk of unauthorized users learning clear text passwords to Cisco IOS configuration files. However, the algorithm used is not designed to withstand serious analysis and should be treated like clear-text.

Solution

Enable password encryption service to protect sensitive access passwords in the device configuration.

hostname(config)#service password-encryption

Default Value:

Service password encryption is not set by default

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|16.4

Plugin: Cisco

Control ID: af9e05229faac14e3f4a6335ef59b72434e22894543385fec64f71c864cd9511