Encrypt local usernames and passwords

We’ve learned it is possible to configure local usernames and passwords on a Cisco device and then use them to login to the device. To do this, we’ve used the username USER password PASSWORD command, like in the example below:

R1(config)#username tuna password peyo

However, there is one problem with this command – the password is stored in clear text in the configuration:

R1#show running-config 
Building configuration...

Current configuration : 635 bytes
!
version 15.1
....
!
username tuna password 0 peyo
!
...

We can use the service password-encryption global configuration command to encrypt the password, but this method does not provide a high level of network security and the passwords can be cracked.

To rectify this, Cisco introduced a new command – username USER secret PASSWORD. This command uses a stronger type of encryption:

R1(config)#username tuna secret peyo
R1(config)#
R1(config)#do show run | include username
username tuna secret 5 $1$mERr$Ux7QsUATkj4kWVORI4.m21

Note that (unlike with the enable password and enable secret commands) you can’t have both the username password and username secret commands configured at the same time:

R1(config)#username tuna password peyo
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: