Cisco Best Practice suggests having "service password-encryption" on the configuration to ensure that passwords aren't visible in plain text. This metric checks the running config for it.

contains(RunningConfig,'no service password-encryption')