diff --git a/puppet/zulip/manifests/memcached.pp b/puppet/zulip/manifests/memcached.pp
index 0fe8a614fb..173a9e5ff3 100644
--- a/puppet/zulip/manifests/memcached.pp
+++ b/puppet/zulip/manifests/memcached.pp
@@ -31,17 +31,29 @@ class zulip::memcached {
     content => zulipsecret('secrets', 'memcached_password', ''),
     notify  => Exec[generate_memcached_sasldb2],
   }
+  file { '/var/lib/zulip/memcached-sasldb2.stamp':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => '1',
+    notify  => Exec[generate_memcached_sasldb2],
+  }
   exec { 'generate_memcached_sasldb2':
     require     => [
       Package[$memcached_packages],
       Package[$zulip::sasl_modules::sasl_module_packages],
-      File['/etc/sasl2/memcached-zulip-password'],
     ],
     refreshonly => true,
-    # Pass the hostname explicitly because otherwise saslpasswd2
-    # lowercases it and memcached does not.
-    command     => "bash -c 'saslpasswd2 -p -f /etc/sasl2/memcached-sasldb2 \
--a memcached -u \"\$HOSTNAME\" zulip < /etc/sasl2/memcached-zulip-password'",
+    # Use localhost for the currently recommended MEMCACHED_USERNAME =
+    # "zulip@localhost" and the hostname for compatibility with
+    # MEMCACHED_USERNAME = "zulip".
+    command     => "bash -euc '
+rm -f /etc/sasl2/memcached-sasldb2
+saslpasswd2 -p -f /etc/sasl2/memcached-sasldb2 \
+    -a memcached -u localhost zulip < /etc/sasl2/memcached-zulip-password
+saslpasswd2 -p -f /etc/sasl2/memcached-sasldb2 \
+    -a memcached -u \"\$HOSTNAME\" zulip < /etc/sasl2/memcached-zulip-password
+'",
   }
   file { '/etc/sasl2/memcached-sasldb2':
     require => Exec[generate_memcached_sasldb2],
diff --git a/zproject/default_settings.py b/zproject/default_settings.py
index e9cccd61d6..104b1426f2 100644
--- a/zproject/default_settings.py
+++ b/zproject/default_settings.py
@@ -123,7 +123,7 @@ BOT_CONFIG_SIZE_LIMIT = 10000
 # External service configuration
 CAMO_URI = ''
 MEMCACHED_LOCATION = '127.0.0.1:11211'
-MEMCACHED_USERNAME = None if get_secret("memcached_password") is None else "zulip"
+MEMCACHED_USERNAME = None if get_secret("memcached_password") is None else "zulip@localhost"
 RABBITMQ_HOST = '127.0.0.1'
 RABBITMQ_USERNAME = 'zulip'
 REDIS_HOST = '127.0.0.1'
diff --git a/zproject/prod_settings_template.py b/zproject/prod_settings_template.py
index 89a6026286..ec97e08cda 100644
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -615,8 +615,8 @@ CAMO_URI = '/external_content/'
 # Format HOST:PORT
 # MEMCACHED_LOCATION = 127.0.0.1:11211
 # To authenticate to memcached, set memcached_password in zulip-secrets.conf,
-# and optionally change the default username 'zulip' here.
-# MEMCACHED_USERNAME = 'zulip'
+# and optionally change the default username 'zulip@localhost' here.
+# MEMCACHED_USERNAME = 'zulip@localhost'
 
 # Redis configuration
 #