Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

Service Password-Encryption Quiz: Which Statement Is True?

Quick, free password-encryption command quiz to test your knowledge. Instant results.

Editorial: Review CompletedCreated By: Carmela DiazUpdated Aug 23, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art style CCNA Security quiz with padlock key network icons on coral background

This quiz helps you confirm what is true about the service password-encryption command and check related router security basics. After you finish, try our which statement is true challenge, explore PKI in the digital certificate quiz, and build skills with the public key cryptography quiz.

What type of Cisco encryption does the command "service password-encryption" enable by default?
Type 5
Type 7
Type 9
Type 3
The "service password-encryption" command applies Cisco Type 7 reversible encryption to plain-text passwords in the IOS configuration. It does not use Type 5 (MD5) or other hashing algorithms. Type 7 is considered weak because it is easily reversible.
Which passwords are affected by the "service password-encryption" command?
Enable secret password
SNMP community strings
Console, VTY, and auxiliary line passwords
Local user database passwords
The "service password-encryption" command only encrypts line passwords such as console, VTY, and auxiliary. It does not affect the enable secret (already MD5 hashed) or SNMP community strings.
Which command is used to create an encrypted privileged EXEC mode password using MD5 hashing?
enable secret
enable password
service password-secret
enable distant
The "enable secret" command configures an MD5-hashed password for privileged EXEC mode. In contrast, "enable password" stores a reversible Type 7 encrypted password unless you apply service password-encryption.
To enforce SSH instead of Telnet on VTY lines, which command would you use in line configuration mode?
transport input telnet
transport input ssh
login local
transport output ssh
The "transport input ssh" command restricts inbound VTY sessions to SSH only, disabling Telnet. "transport output ssh" would control outbound sessions initiated by the router.
What is the default RSA key modulus size when you run "crypto key generate rsa" without specifying a size?
256 bits
1024 bits
512 bits
2048 bits
In many IOS releases, if you omit the modulus value, the router defaults to generating a 512-bit RSA key. Modern security standards recommend at least 1024 or 2048 bits.
Which command is required before generating RSA keys for SSH on a Cisco router?
ip domain-name
ip ssh version 2
service password-encryption
line vty 0 4
An IP domain name must be set (using "ip domain-name ") before you can generate RSA keys with "crypto key generate rsa". The domain name is part of the RSA key pair creation process.
Which Cisco IOS command specifies that only SSH version 2 is used for remote management?
ip ssh version 2
transport input ssh
ip ssh version 1
ssh version 2
The "ip ssh version 2" command forces the router to use SSH version 2 for all SSH sessions. Version 2 is more secure than version 1.
What hashing algorithm does the "enable secret" command use to store passwords?
SHA-256
MD5
Type 7
SHA-1
The "enable secret" command uses the MD5 hashing algorithm to irreversibly encrypt the password. This provides stronger protection than the reversible Type 7 encryption.
Which command configures an AAA method list to use the local database for login authentication?
aaa authentication login default local
aaa method login default local
aaa accounting login default local
aaa authorization login default local
The "aaa authentication login default local" command directs IOS to authenticate local logins (such as console or VTY) against the local user database when no external servers respond.
After entering "service password-encryption", which command can you use to view the encrypted passwords in the configuration?
show passwords
show encrypted passwords
show startup-config only
show running-config
The "show running-config" command displays the current configuration, including all passwords in their encrypted Type 7 form once "service password-encryption" is enabled. There is no separate "show passwords" command.
What is the minimum recommended modulus size for RSA key generation for SSH on modern Cisco devices?
768 bits
1024 bits
2048 bits
512 bits
While IOS defaults to 512 bits, security best practices recommend a minimum of 1024-bit RSA keys for SSH. Higher values like 2048-bit provide stronger security but can impact performance.
Which encryption type is used when you configure a local user with the "secret" option (e.g., "username user secret pass")?
Type 5
Type 7
Type 3
None
The "username secret " command uses Cisco Type 5 encryption (MD5 hashing) for the password. If you use "password" instead of "secret," it uses reversible Type 7 encryption.
Which command would remove reversible encryption on stored line passwords?
service password-unencrypt
no service password-encryption
undo service password-encryption
clear password-encryption
Applying "no service password-encryption" disables the feature and displays stored passwords in plain text on subsequent "show" commands. It does not retroactively decrypt them in the config text.
Which new Cisco IOS password-encryption type uses scrypt hashing introduced in IOS 15.1?
Type 8
Type 9
Type 7
Type 5
Cisco Type 9 encryption, introduced in IOS 15.1, uses the scrypt key derivation function for hashing, providing stronger protection against brute-force attacks. It replaces earlier, less secure methods like Type 5.
Which command configures a user's password with PBKDF2-SHA256 (Type 8) encryption?
username user secret pbkdf2
username user password 8
username user secret 5
username user secret 8
The "username secret 8 " command enables PBKDF2-SHA256 (Type 8) encryption for the user password. This is stronger than the MD5-based Type 5.
What command controls the number of SSH authentication retries before the connection is dropped?
ip ssh retries
ip ssh authentication-retries
ssh authentication-retries
ip ssh retry-auth
The "ip ssh authentication-retries " command sets how many times SSH will prompt for credentials before terminating the session. This protects against brute-force attacks.
What is the default SSH authentication retry count on Cisco IOS devices?
3
2
5
1
By default, Cisco IOS allows three authentication retries for SSH connections before dropping the session. You can modify this with "ip ssh authentication-retries".
For securing SSH sessions, which AES encryption mode does Cisco IOS use by default?
AES-256 GCM
AES-256 CBC
AES-128 CTR
AES-128 CBC
Modern Cisco IOS defaults to AES-128 in Counter (CTR) mode for SSH sessions, offering a good balance of security and performance. Other modes can be configured manually if needed.
What is the maximum RSA modulus size supported on Cisco IOS for SSH key generation?
1024 bits
2048 bits
4096 bits
3072 bits
Cisco IOS supports up to a 4096-bit RSA key modulus for SSH, allowing very strong keys. Note that larger keys can incur greater CPU overhead.
Which AAA command would force a Cisco device to use the local database if the TACACS+ server is unreachable?
aaa authentication login default group tacacs+ local
aaa accounting fallback local
aaa authentication fallback local tacacs+
aaa authorization login default group tacacs+ local
The command "aaa authentication login default group tacacs+ local" specifies that TACACS+ is tried first; if it fails, the local database is used. This provides redundancy for remote logins.
If "ip ssh authentication-retries 3" is configured, how many total authentication attempts does SSH allow before dropping the connection?
5
4
2
3
Cisco IOS interprets the "ip ssh authentication-retries" value as the number of additional retries after the initial attempt. Thus, setting it to 3 allows one initial try plus three retries, totaling four attempts.
Which native IOS CLI command can decrypt Type 7 encrypted passwords directly on the router?
service password-unhide
no such command
show encryption decrypt
show service password-decryption
Cisco IOS does not include a built-in command to decrypt Type 7 passwords. Administrators must use external tools or scripts to reverse Type 7 encryption. This design discourages easy recovery of the plain-text.
0
{"name":"What type of Cisco encryption does the command \"service password-encryption\" enable by default?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What type of Cisco encryption does the command \"service password-encryption\" enable by default?, Which passwords are affected by the \"service password-encryption\" command?, Which command is used to create an encrypted privileged EXEC mode password using MD5 hashing?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Identify True Service Password-Encryption Statements -

    Determine which statement regarding the service password-encryption command is true and understand its implications for Cisco device security.

  2. Analyze SSH Key Length Best Practices -

    Evaluate recommended SSH key lengths to ensure secure remote access and compliance with CCNA Security Chapter 2 standards.

  3. Apply EXEC Command Configuration -

    Configure and manage user EXEC commands to create user accounts with appropriate privilege levels on Cisco devices.

  4. Interpret Login Command Output -

    Assess login command outputs to diagnose authentication issues and verify successful user access on network devices.

  5. Validate User Account Security -

    Confirm that user accounts adhere to security best practices by integrating password encryption and access control measures.

Cheat Sheet

  1. Understanding service password-encryption -

    When asked which statement regarding the service password-encryption command is true, remember it applies Cisco Type 7 reversible encryption to all plaintext passwords in the running-config and startup-config to thwart casual snooping (Cisco documentation). Mnemonic: "Type 7 for D7tEct!" reminds you it's a detect-and-hide, not a secure hash.

  2. Enable secret vs. service password-encryption -

    Enable secret uses MD5 hashing and remains unaffected by service password-encryption, giving stronger protection by default (Cisco Systems). Think: "Secret is sealed, Encryption only hides."

  3. SSH key length best practices -

    Per NIST SP 800-131A and as emphasized in CCNA Security Chapter 2 quiz materials, generate RSA keys of at least 2048 bits with "crypto key generate rsa modulus 2048" to ensure robust encryption for SSH logins (National Institute of Standards and Technology).

  4. Creating user EXEC commands -

    Use "username <name> privilege <level> secret <password>" to create local accounts with appropriate EXEC privileges; levels 1 and 15 map to user EXEC and privileged EXEC modes respectively (Cisco Learning Network). A handy tip: level 15 = full admin access.

  5. Login command output analysis -

    Differentiate "login" (uses default line password) from "login local" (prompts for username and password from local database); watch for prompts like "Username:" and "Password:" or "% Login invalid" to troubleshoot (Cisco Press).

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Computers & IT Quizzes

Powered by: Quiz Maker