Curioustab Logo Curioustab
Home » Networking » IOS and Security Device Manager

Cisco IOS security behavior You configured a console password, but when you display the running configuration the password is not shown in clear text; it appears obfuscated, for example: Line console 0 Exec-timeout 1 44 Password 7098C0BQR Login What feature caused the password to be stored and displayed in this encoded form?

Difficulty: Easy

Correct Answer: service password-encryption

Explanation:


Introduction / Context:
On Cisco IOS devices, plaintext passwords configured under lines (console, vty, aux) or for simple user accounts can be protected from casual viewing in the running-config and startup-config. Understanding which IOS command performs this obfuscation is a core skill for network administrators who audit configurations or harden device security.


Given Data / Assumptions:

  • A line password was configured for the console line.
  • The configuration display shows an encoded string instead of the original password (for example, 7098C0BQR).
  • No special AAA server or external encryption is in use; we focus on native IOS behavior.


Concept / Approach:

The global configuration command service password-encryption turns on a weak, reversible encoding (historically called type 7) that scrambles simple passwords so they do not appear in clear text in configuration files. This is not strong cryptography; it is mainly meant to deter shoulder-surfing and casual disclosure. In contrast, the enable secret command uses a much stronger, hashed representation (for example, type 5 or type 8/9 on newer IOS) but only for the enable password, not for line passwords.



Step-by-Step Solution:

Recognize that a line password appears encoded in the config (nonsensical characters).Recall that service password-encryption scrambles simple passwords for display.Confirm that exec-timeout affects idle timeouts and does not change password display.Conclude the obfuscation is due to enabling service password-encryption.


Verification / Alternative check:

If you remove the command and re-enter the same password, the configuration would show it in clear text. Re-enabling the command re-scrambles it. This demonstrates the feature's effect on stored display output.



Why Other Options Are Wrong:

  • encrypt password: not a valid IOS global command.
  • service-password-encryption: incorrect syntax (hyphenated form is not used).
  • exec-timeout 1 35: controls idle timeout, not password storage.
  • enable secret: hashes the enable password only; it does not control line password display.


Common Pitfalls:

  • Assuming the encoding is strong encryption; it is easily reversible and should not be relied upon for true secrecy.
  • Forgetting to secure configuration files because the passwords look scrambled; treat configs as sensitive data.


Final Answer:

service password-encryption

← Previous Question Next Question→

More Questions from IOS and Security Device Manager

Discussion & Comments

No comments yet. Be the first to comment!
Join Discussion