Encrypt local usernames and passwords

We’ve learned it is possible to configure local usernames and passwords on a Cisco device and then use them to login to the device. To do this, we’ve used the username USER password PASSWORD command, like in the example below:

R1(config)#username tuna password peyo

However, there is one problem with this command – the password is stored in clear text in the configuration:

R1#show running-config 
Building configuration...

Current configuration : 635 bytes
version 15.1
username tuna password 0 peyo

We can use the service password-encryption global configuration command to encrypt the password, but this method does not provide a high level of network security and the passwords can be cracked.

To rectify this, Cisco introduced a new command – username USER secret PASSWORD. This command uses a stronger type of encryption:

R1(config)#username tuna secret peyo
R1(config)#do show run | include username
username tuna secret 5 $1$mERr$Ux7QsUATkj4kWVORI4.m21

Note that (unlike with the enable password and enable secret commands) you can’t have both the username password and username secret commands configured at the same time:

R1(config)#username tuna password peyo
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.