1CRYPT(5) File Formats and Conversions CRYPT(5)
3
7 crypt - storage format for hashed passphrases and available hashing
8 methods
9
11 The hashing methods implemented by crypt(3) are designed only to
12 process user passphrases for storage and authentication; they are not
13 suitable for use as general-purpose cryptographic hashes.
14 Passphrase hashing is not a replacement for strong passphrases. It is
16 always possible for an attacker with access to the hashed passphrases
17 to guess and check possible cleartext passphrases. However, with a
18 strong hashing method, guessing will be too slow for the attacker to
19 discover a strong passphrase.
20 All of the hashing methods use a “salt” to perturb the hash function,
22 so that the same passphrase may produce many possible hashes. Newer
23 methods accept longer salt strings. The salt should be chosen at ran‐
24 dom for each user. Salt defeats a number of attacks:
25 1. It is not possible to hash a passphrase once and then test it
27 against each account's stored hash; the hash calculation must be
28 repeated for each account.
29 2. Tables of precalculated hashes of commonly used passphrases must
31 have an entry for each possible salt, which makes them impracti‐
32 cally large.
33 3. It is not possible to tell whether two accounts use the same
35 passphrase without successfully guessing one of the phrases.
36 All of the hashing methods are also deliberately engineered to be slow;
38 they use many iterations of an underlying cryptographic primitive to
39 increase the cost of each guess. The newer hashing methods allow the
40 number of iterations to be adjusted, using the “CPU time cost” parame‐
41 ter to crypt_gensalt(3). This makes it possible to keep the hash slow
42 as hardware improves.
43
45 All of the hashing methods supported by libcrypt produce a hashed
46 passphrase which consists of four components: prefix, options, salt,
47 and hash. The prefix controls which hashing method is to be used, and
48 is the appropriate string to pass to crypt_gensalt to select that
49 method. The contents of options, salt, and hash are up to the method.
50 Depending on the method, the prefix and options components may be
51 empty.
52 The setting argument to crypt must begin with the first three compo‐
54 nents of a valid hashed passphrase, but anything after that is ignored.
55 This makes authentication simple: hash the input passphrase using the
56 stored passphrase as the setting, and then compare the result to the
57 stored passphrase.
58 Hashed passphrases are always entirely printable ASCII, and do not con‐
60 tain any whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’.
61 (These characters are used as delimiters and special markers in the
62 passwd(5) and shadow(5) files.)
63 The syntax of each component of a hashed passphrase is up to the hash‐
65 ing method. ‘$’ characters usually delimit components, and the salt
66 and hash are usually encoded as numerals in base 64. However, the
67 details of the base-64 encoding vary among hashing methods and are usu‐
68 ally not compatible with the common “base64” encoding.
69
71 This is a list of all the hashing methods supported by libcrypt, in
72 decreasing order of strength. Many of the older methods are now con‐
73 sidered too weak to use for new passphrases. The encoded passphrase
74 format is expressed with extended regular expressions (see regex(7))
75 and does not show the division into prefix, options, salt, and hash.
76 bcrypt
78 A hash based on the Blowfish block cipher, modified to have an extra-
79 expensive key schedule. Originally developed by Niels Provos and David
80 Mazieres for OpenBSD and also supported on recent versions of FreeBSD
81 and NetBSD, on Solaris 10 and newer, and on several GNU/*/Linux distri‐
82 butions. Recommended for new password hashes.
83 prefix "$2b$"
85 Encoded passphrase format
87 \$2[abxy]\$[0-9]{2}\$[./A-Za-z0-9]{53}
88 Maximum password length
90 72 characters
91 Hash size
94 184 bits
95 Salt size
97 128 bits
98 CPU time cost parameter
100 4 to 31 (logarithmic)
101 The alternative prefix "$2y$" is equivalent to "$2b$". It
103 exists for historical reasons only. The alternative prefixes
104 "$2a$" and "$2x$" provide bug-compatibility with crypt_blowfish
105 1.0.4 and earlier, which incorrectly processed characters with
106 the 8th bit set.
107 SHA-2-512
109 A hash based on SHA-2 with 512-bit output, originally developed
110 by Ulrich Drepper for GNU libc. Supported on Linux but not com‐
111 mon elsewhere. Acceptable for new password hashes. The default
112 CPU time cost parameter is 5000, which is too low for modern
113 hardware.
114 prefix "$6$"
116 Encoded passphrase format
118 \$6\$(rounds=[1-9][0-9]+\$)?[./0-9A-Za-z]{1,16}\$[./0-9A-
119 Za-z]{86}
120 Maximum password length
122 unlimited
123 Hash size
126 512 bits
127 Salt size
129 6 to 96 bits
130 CPU time cost parameter
132 1000 to 999,999,999
133 SHA-2-256
135 A hash based on SHA-2 with 256-bit output, originally
136 developed by Ulrich Drepper for GNU libc. Supported on
137 Linux but not common elsewhere. Acceptable for new pass‐
138 word hashes. The default CPU time cost parameter is
139 5000, which is too low for modern hardware.
140 prefix "$5$"
142 Encoded passphrase format
144 \$5\$(rounds=[1-9][0-9]+\$)?[./0-9A-Za-
145 z]{1,16}\$[./0-9A-Za-z]{43}
146 Maximum password length
148 unlimited
149 Hash size
152 256 bits
153 Salt size
155 6 to 96 bits
156 CPU time cost parameter
158 1000 to 999,999,999
159 SHA-1
161 A hash based on HMAC-SHA1. Originally developed
162 by Simon Gerraty for NetBSD. Not as weak as the
163 DES-based hashes below, but SHA1 is so cheap on
164 modern hardware that it should not be used for new
165 hashes.
166 prefix "$sha1"
168 Encoded passphrase format
170 \$sha1\$[1-9][0-9]+\$[./0-9A-Za-
171 z]{1,64}\$[./0-9A-Za-z]{8,64}[./0-9A-Za-
172 z]{32}
173 Maximum password length
175 unlimited
176 Hash size
179 160 bits
180 Salt size
182 6 to 384 bits
183 CPU time cost parameter
185 1 to 4,294,967,295
186 MD5 (Sun)
188 A hash based on the MD5 algorithm, with
189 additional cleverness to make precomputa‐
190 tion difficult, originally developed by
191 Alec David Muffet for Solaris. Not adopted
192 elsewhere, to our knowledge. Not as weak
193 as the DES-based hashes below, but MD5 is
194 so cheap on modern hardware that it should
195 not be used for new hashes.
196 prefix "$md5"
198 Encoded passphrase format
200 \$md5(,rounds=[1-9][0-9]+)?\$[./0-9A-
201 Za-z]{8}\${1,2}[./0-9A-Za-z]{22}
202 Maximum password length
204 unlimited
205 Hash size
208 128 bits
209 Salt size
211 48 bits
212 CPU time cost parameter
214 4096 to 4,294,963,199
215 MD5 (FreeBSD)
217 A hash based on the MD5 algorithm,
218 originally developed by Poul-Henning
219 Kamp for FreeBSD. Supported on most
220 free Unixes and newer versions of
221 Solaris. Not as weak as the DES-
222 based hashes below, but MD5 is so
223 cheap on modern hardware that it
224 should not be used for new hashes.
225 CPU time cost is not adjustable.
226 prefix "$1$"
228 Encoded passphrase format
230 \$1\$[^$]{1,8}\$[./0-9A-Za-
231 z]{22}
232 Maximum password length
234 unlimited
235 Hash size
238 128 bits
239 Salt size
241 6 to 48 bits
242 CPU time cost parameter
244 1000
245 BSDI extended DES
247 A weak extension of tradi‐
248 tional DES, which eliminates
249 the length limit, increases
250 the salt size, and makes the
251 time cost tunable. It origi‐
252 nates with BSDI and is also
253 available on at least NetBSD,
254 OpenBSD, and FreeBSD due to
255 the use of David Burren's
256 FreeSec library. It is bet‐
257 ter than bigcrypt and tradi‐
258 tional DES, but still should
259 not be used for new hashes.
260 prefix "_"
262 Encoded passphrase format
264 _[./0-9A-Za-z]{19}
265 Maximum password length
267 unlimited (ignores 8th
268 bit)
269 Hash size
272 64 bits (effec‐
273 tively 56)
274 Salt size
276 24 bits
277 CPU time cost parame‐
279 ter
280 1 to 16,777,215
281 (must be odd)
282 bigcrypt
284 A weak extension of
285 traditional DES,
286 available on some Sys‐
287 tem V-derived Unixes.
288 All it does is raise
289 the length limit from
290 8 to 128 characters,
291 and it does this in a
292 crude way that allows
293 attackers to guess
294 chunks of a long
295 passphrase in paral‐
296 lel. It should not be
297 used for new hashes.
298 prefix "" (empty
300 string)
301 Encoded passphrase
303 format
304 [./0-9A-Za-
305 z]{13,178}
306 Maximum password
308 length
309 128 characters
310 (ignores 8th
311 bit)
312 Hash size
315 up to
316 1024
317 bits
318 (effec‐
319 tively
320 up to
321 896)
322 Salt size
324 12 bits
325 CPU time cost
327 parameter
328 25
329 Traditional DES-
331 based
332 The original
333 hashing method
334 from Unix V7,
335 based on the
336 DES block
337 cipher.
338 Because DES is
339 cheap on modern
340 hardware,
341 because there
342 are only 4096
343 possible salts
344 and 2**56 pos‐
345 sible hashes,
346 and because it
347 truncates
348 passphrases to
349 8 characters,
350 it is feasible
351 to discover any
352 passphrase
353 hashed with
354 this method.
355 It should only
356 be used if you
357 absolutely have
358 to generate
359 hashes that
360 will work on an
361 old operating
362 system that
363 supports noth‐
364 ing else.
365 prefix ""
367 (empty
368 string)
369 Encoded
371 passphrase for‐
372 mat
373 [./0-9A-
374 Za-
375 z]{13}
376 Maximum pass‐
378 word length
379 8 char‐
380 acters
381 (ignores
382 8th bit)
383 Hash
386 size 64
387 bits
388 (effec‐
389 tively
390 56)
391 Salt
393 size 12
394 bits
395 CPU time
397 cost
398 parame‐
399 ter
400 25
401 NTHASH
403 The
404 hashing
405 method
406 used for
407 network
408 authen‐
409 tication
410 in some
411 versions
412 of the
413 SMB/CIFS
414 proto‐
415 col.
416 Avail‐
417 able,
418 for
419 cross-
420 compati‐
421 bility's
422 sake, on
423 FreeBSD.
424 Based on
425 MD4.
426 Has no
427 salt or
428 tunable
429 cost
430 parame‐
431 ter.
432 Like
433 tradi‐
434 tional
435 DES, it
436 is so
437 weak
438 that any
439 passphrase
440 hashed
441 with
442 this
443 method
444 is
445 guess‐
446 able.
447 It
448 should
449 only be
450 used if
451 you
452 abso‐
453 lutely
454 have to
455 generate
456 hashes
457 that
458 will
459 work on
460 an old
461 operat‐
462 ing sys‐
463 tem that
464 supports
465 nothing
466 else.
467 prefix "$3$"
469 Encoded
471 passphrase
472 format
473 \$3\$\$[0-9a-
474 f]{32}
475 Maximum
477 password
478 length
479 unlim‐
480 ited
481 Hash
484 size 256
485 bits
486 Salt
488 size 0
489 bits
490 CPU
492 time
493 cost
494 param‐
495 e‐
496 ter 1
497
499 crypt(3),
501 crypt_r(3),
502 crypt_ra(3),
503 crypt_rn(3),
504 crypt_gen‐
505 salt(3),
506 get‐
507 p‐
508 went(3),
509 passwd(5),
510 shadow(5),
511 pam(8)
512 Niels
514 Provos
515 and
516 David
517 Mazieres.
518 A
519 Future-
520 Adapt‐
521 able
522 Pass‐
523 word
524 Scheme.
525 Pro‐
526 ceed‐
527 ings
528 of
529 the
530 1999
531 USENIX
532 Annual
533 Tech‐
534 ni‐
535 cal
536 Con‐
537 fer‐
538 ence,
539 June
540 1999.
541 https://www.usenix.org/events/usenix99/provos.html
542 Robert
544 Mor‐
545 ris
546 and
547 Ken
548 Thomp‐
549 son.
550 Pass‐
551 word
552 Secu‐
553 rity:
554 A
555 Case
556 His‐
557 tory.
558 Com‐
559 mu‐
560 ni‐
561 ca‐
562 tions
563 of
564 the
565 ACM,
566 Vol‐
567 ume
568 22,
569 Issue
570 11,
571 1979.
572 http://wol‐
573 fram.schnei‐
574 der.org/bsd/7thEd‐
575 Man‐
576 Vol2/pass‐
577 word/pass‐
578 word.pdf
579Openwall Project October 11, 2017 CRYPT(5)