Courseiva
SecurityGlobal Config

username [name] secret [password]

Creates a local user account with an encrypted password (using MD5 hashing) for authentication on Cisco IOS devices, typically used for SSH, console, or AUX access.

Syntax·Global Config
username [name] secret [password]

When to Use This Command

  • Configuring local user accounts for SSH remote management access to a router or switch.
  • Setting up authentication for the console line to require a username and password.
  • Creating multiple user accounts with different privilege levels for network administrators.
  • Enabling local authentication as a fallback when a RADIUS/TACACS+ server is unreachable.

Command Examples

Create a user with encrypted secret for SSH access

username admin secret Cisco123

No output is displayed upon successful execution. The command creates a user 'admin' with an MD5-hashed secret 'Cisco123'. The secret is stored encrypted in the running configuration.

Verify the user account in running configuration

show running-config | include username
username admin secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

The output shows the username and the encrypted secret (type 5 MD5 hash). The hash is not reversible; only the hash is stored.

Understanding the Output

The 'username [name] secret [password]' command produces no direct output on the CLI. To verify, use 'show running-config | include username' which displays the username and the encrypted secret (type 5 hash). The hash is a one-way MD5 digest, ensuring the plaintext password is not stored. In a production network, you should see the secret prefixed with '5' indicating MD5 encryption. If you see '7' (type 7 weak encryption) or plaintext, the configuration is insecure. Always use 'secret' instead of 'password' for stronger encryption.

CCNA Exam Tips

1.

CCNA exam expects you to know that 'secret' uses MD5 hashing, while 'password' uses weak type 7 encryption.

2.

Remember that the 'username' command is configured in global config mode, not line mode.

3.

You must also configure 'login local' on the line (e.g., line vty 0 4) to use local authentication.

4.

The 'secret' keyword is preferred over 'password' for security; exam questions often test this distinction.

Common Mistakes

Using 'password' instead of 'secret' — results in weak encryption (type 7) that is easily decrypted.

Forgetting to apply 'login local' on the VTY lines after creating the user account.

Typing the password in plaintext in the running config by using 'username admin password Cisco123' without the 'secret' keyword.

Not using a strong password or reusing default credentials, leading to security vulnerabilities.

Related Commands

enable secret [password]

Sets an encrypted password for privileged EXEC access, replacing the less secure 'enable password' command.

login local

Configures the line to require local username/password authentication using the local database, typically applied to console, vty, or aux lines for secure access.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions