We’ve learned it is possible to configure local usernames and passwords on a Cisco device and then use them to login to the device. To do this, we’ve used the username USER password PASSWORD command, like in the example below:
R1(config)#username tuna password peyo
However, there is one problem with this command – the password is stored in clear text in the configuration:
R1#show running-config Building configuration... Current configuration : 635 bytes ! version 15.1 .... ! username tuna password 0 peyo ! ...
We can use the service password-encryption global configuration command to encrypt the password, but this method does not provide a high level of network security and the passwords can be cracked.
To rectify this, Cisco introduced a new command – username USER secret PASSWORD. This command uses a stronger type of encryption:
R1(config)#username tuna secret peyo R1(config)# R1(config)#do show run | include username username tuna secret 5 $1$mERr$Ux7QsUATkj4kWVORI4.m21
Note that (unlike with the enable password and enable secret commands) you can’t have both the username password and username secret commands configured at the same time:
R1(config)#username tuna password peyo ERROR: Can not have both a user password and a user secret. Please choose one or the other.