The Cisco ISR 4000 Series router must store only encrypted representations of passwords.

From Cisco IOS XE Release 3 NDM Security Technical Implementation Guide

Associated with: CCI-000196

SV-88697r1_rule The Cisco ISR 4000 Series router must store only encrypted representations of passwords.

Vulnerability discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.Network devices must enforce password encryption when storing passwords.

Check content

Verify that Cisco ISR 4000 Series router has password encryption enabled. The configuration should look similar to the example below: password encryption aes service password-encryption If password encryption is not enabled, this is a finding.

Fix text

Add the following command to encrypt local passwords: service password-encryption

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.