As I have been working with IOS or IOS-XE devices over the years there have been always new methods added on howto add a username and secret to the running configuration. The last new secrets that have proved insecure has been the cisco type 4 secret. It took around 1 year to prove that this type of hash has been cracked.
At these days one should at least use SHA256 hashes, or even better SHA512. Bruce Schneier suggests to use Twofish.
On the IOS CLI I have discovered new way to generate SHA256 hashes or SCRYPT. I would not suggest to use SCYPT but it is sure better than a TYPE7 crypted password. So everyone should choose its poison.
Here an example on how to generate a descent encrypted password hash:
R1(config)#username test algorithm-type ?
md5 Encode the password using the MD5 algorithm
scrypt Encode the password using the SCRYPT hashing algorithm
sha256 Encode the password using the PBKDF2 hashing algorithm
R1(config)#username test algorithm-type sha256 ?
secret Specify the secret for the user
R1(config)#username test algorithm-type sha256 secret ?
LINE The UNENCRYPTED (cleartext) secret for the user
R1(config)#username test algorithm-type sha256 secret test ?
LINE <cr>
R1(config)#username test algorithm-type sha256 secret test
R1(config)#do sh run | i username
username test secret 8 $8$TE8n7dWN/KlQyE$eceJA2BUi4U/PuqdKzZkA34XfIwNPQzsIll5LoDS0pw
And a scrypt password hash looks like this
R1(config)#username test algorithm-type scrypt secret test
R1(config)#do sh run | i username
username test secret 9 $9$BcqD2r2quPOAZk$9ou68K/72Z3dHeaolP.YNyvn4b5jOJWsczV9dw6ZzmU
So in IOS/IOS-XE a SHA256 password hash has a $8$ prefix and a SCRYPT hash has a $9$ prefix.
Let's wait until the double digit prefix appears $10$ identifying a Twofish encrypted password. Or at least Blowfish should be implemented. I would wish that