5.1.b Implement and troubleshoot device access control

5.1.b [iv] Password encryption

The enable password command is not recommended since password is stored in cleartext. Use the enable secret command instead for better security. Enable secrets are hashed using the MD5 algorithm . As far as anyone at Cisco knows, it is impossible to recover an enable secret based on the contents of a configuration file (other than by obvious dictionary attacks). Almost all passwords and other authentication strings in Cisco IOS configuration files are encrypted using the weak, reversible scheme used for user passwords. To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.

Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.

To configure the Cisco IOS software to encrypt passwords, use the following command in global configuration mode:

Router( config)# service password-encryption

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5064-5067).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml