350-401 Question #638: Real Exam Question with Answer & Explanation

The correct answer is A: service password-ncryption. The question asks how to protect VTY line passwords from over-the-shoulder attacks, which means preventing them from being seen in plain text in the configuration.

Submitted by devops_kid· Mar 6, 2026Security

Question

An engineer must protect the password for the VTY lines against over-the-shoulder attacks. Which configuration should be applied?

Options

Aservice password-ncryption
Busername netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDA
Cusername netadmin secret 7$1$42J36k33008Pyh4QzwXyZ4
Dline vty 0 15 p3ssword XD822j

Explanation

The question asks how to protect VTY line passwords from over-the-shoulder attacks, which means preventing them from being seen in plain text in the configuration.

Common mistakes.

B. This command configures a username with a type 9 secret password (strong hash) for local user accounts, not directly protecting the VTY line password itself.
C. This command configures a username with a type 7 secret password (weak encryption) for local user accounts, not directly protecting the VTY line password.
D. This command sets a plain-text password for the VTY lines, which would be visible in the configuration and vulnerable to over-the-shoulder attacks without service password-encryption.

Concept tested. Cisco password encryption for configuration display

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_name_pwd/configuration/15-mt/sec-usr-name-pwd-15-mt-book/sec-usr-name-pwd-cfg.html#GUID-E182103E-B19F-4581-A6B1-D4222045A958

Topics

#service password-encryption#VTY line security#Cisco password protection

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice Browse All 350-401 Questions