All Cisco device passwords are stored in cleartext in the configuration, by default. These passwords are visible to anyone that has permission to issue

  • write terminal
  • show running-config

Stored backup configuration files also have these passwords; therefore, anyone with access to these files will also have access to the router passwords.

There are two commands for hiding passwords:

  • service password-encryption
  • enable secret

service password-encryption is useful when storing configuration files on a server because it encrypts passwords before storing them. These passwords are unintelligible when write terminal or show running-config commands are issued.