As Daydeep said - enable password encryption and you're good. I'm not aware of any method to mask or hide the username from show running-config output.
Restricting it via privilege level isn't terribly complex if you are running Cisco ACS as your AAA server.
When consulting I can find normal systems in a very compromised state especially if they are unprotected. Often we low level format them to hyper clean the malware and root kits. But sometimes we need to get some of the changed data off before the wipe.
In ethical hacking security wizardry they post mortem how attackers hide their access, usernames and file and directory creation and modifications. Often on a zombie compromised system you will find hidden directories, filenames, and usernames with that are invisible until you mouse over them and highlight them or if you show a list and notice an extra line return when there should not be one. There is an exploit that can use ASCII Alt-255 blank space symbol (not null character, i.e not spacebar). So if you want to take it extreme you can create such a username and hide it from the screen or printouts on first glance. Don't use in production network unless you are the sole proprietor.
If someone does penetration testing or a SAS70 audit they will find it and see who created it with logs and they will be calling the creator into the big office. Everyone should be aware of it and there are many web sites that warn about it and countermeasures.
We can write script in EEM and excute following command when user execute "show run"
sh run | exclude username
But I don't want to configure EEM but looking for same thing keeping user in privilege level 15.
Although we can encrypt service password but that can be decipher easily.
By using the "secret" command instead of "password" on the user creation line, the password will be encrypted way beyond the service password encryption of a plain text password.
Using a AAA server for the user database, would prevent someone from seeing the usernames or passwords at level 15.
Using parser VIEWs, we could restrict what a user could see, but not down to just the username in the config.
I would say the "username bob secret cisco123" with a better password than that, using at least 8 characters, upper and lower case, alpha and numeric, and some special characters, and maybe even a couple non-related words in a phrase, would be the best way to protect the secret assigned to the user if it is kept locally on the router.
I have a quick question: when i do service password-encryption, the password will be encrypted when i do show run. However, when i turn it off with "no service password-encrytion, the password is still encrypted. I wonder is it anyway to decrypt ?