Password7Decrypt

Cisco IOS Password Security Checklist

A working checklist for network and security engineers auditing password hygiene across Cisco IOS and IOS-XE devices.

Device-Level Basics

enable secret is set (Type 8 or 9), and enable password is fully removed, not just superseded
service password-encryption is enabled as a baseline, even though it only applies weak Type 7 to any remaining plaintext lines — it's a safety net, not a solution
No device still has a factory-default or vendor-documented default credential active
Console, AUX, and VTY lines all require a password — an open AUX port is a classic overlooked backdoor

Local Accounts & AAA

Every username line uses secret (hashed), never bare password
Centralized AAA (TACACS+/RADIUS) is used for production access instead of relying solely on local accounts, so individual logins can be audited and revoked without touching every device
Local accounts are kept as a documented break-glass fallback only, with credentials stored in a password manager, not memorized or shared over chat
Stale accounts for former employees or contractors are removed, not just disabled

Config Hygiene

Config backups (TFTP/SCP exports) are stored somewhere access-controlled, not on an open file share
SNMP community strings are not left at defaults (public/private) and, ideally, SNMPv3 is used instead of v1/v2c
No plaintext passwords appear anywhere in configs pasted into ticketing systems, chat, or documentation wikis
A periodic grep across config backups for password 7 and password 5 is run — see our legacy config audit guide for a repeatable process

Quarterly Review Cadence

Most of the items above aren't "set once and forget" — they drift as staff change and devices get replaced. A workable cadence for most teams:

Tip: Track this checklist in whatever ticketing/compliance system your team already uses, with a due date per item — a checklist that isn't scheduled tends not to get revisited until an audit forces it.