1CRYPT(5) File Formats and Conversions CRYPT(5)
3
7 crypt - storage format for hashed passphrases and available hashing
8 methods
9
11 The hashing methods implemented by crypt(3) are designed only to
12 process user passphrases for storage and authentication; they are not
13 suitable for use as general-purpose cryptographic hashes.
14 Passphrase hashing is not a replacement for strong passphrases. It is
16 always possible for an attacker with access to the hashed passphrases
17 to guess and check possible cleartext passphrases. However, with a
18 strong hashing method, guessing will be too slow for the attacker to
19 discover a strong passphrase.
20 All of the hashing methods use a “salt” to perturb the hash function,
22 so that the same passphrase may produce many possible hashes. Newer
23 methods accept longer salt strings. The salt should be chosen at ran‐
24 dom for each user. Salt defeats a number of attacks:
25 1. It is not possible to hash a passphrase once and then test it
27 against each account's stored hash; the hash calculation must be
28 repeated for each account.
29 2. It is not possible to tell whether two accounts use the same
31 passphrase without successfully guessing one of the phrases.
32 3. Tables of precalculated hashes of commonly used passphrases must
34 have an entry for each possible salt, which makes them impracti‐
35 cally large.
36 All of the hashing methods are also deliberately engineered to be slow;
38 they use many iterations of an underlying cryptographic primitive to
39 increase the cost of each guess. The newer hashing methods allow the
40 number of iterations to be adjusted, using the “CPU time cost” parame‐
41 ter to crypt_gensalt(3). This makes it possible to keep the hash slow
42 as hardware improves.
43
45 All of the hashing methods supported by libcrypt produce a hashed
46 passphrase which consists of four components: prefix, options, salt,
47 and hash. The prefix controls which hashing method is to be used, and
48 is the appropriate string to pass to crypt_gensalt to select that
49 method. The contents of options, salt, and hash are up to the method.
50 Depending on the method, the prefix and options components may be
51 empty.
52 The setting argument to crypt must begin with the first three compo‐
54 nents of a valid hashed passphrase, but anything after that is ignored.
55 This makes authentication simple: hash the input passphrase using the
56 stored passphrase as the setting, and then compare the result to the
57 stored passphrase.
58 Hashed passphrases are always entirely printable ASCII, and do not con‐
60 tain any whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’.
61 (These characters are used as delimiters and special markers in the
62 passwd(5) and shadow(5) files.)
63 The syntax of each component of a hashed passphrase is up to the hash‐
65 ing method. ‘$’ characters usually delimit components, and the salt
66 and hash are usually encoded as numerals in base 64. The details of
67 this base-64 encoding vary among hashing methods. The common “base64”
68 encoding specified by RFC 4648 is usually not used.
69
71 This is a list of all the hashing methods supported by libcrypt, in
72 decreasing order of strength. Many of the older methods are now con‐
73 sidered too weak to use for new passphrases. The hashed passphrase
74 format is expressed with extended regular expressions (see regex(7))
75 and does not show the division into prefix, options, salt, and hash.
76 yescrypt
78 yescrypt is a scalable passphrase hashing scheme designed by Solar
79 Designer, which is based on Colin Percival's scrypt. Recommended for
80 new hashes.
81 prefix "$y$"
83 Hashed passphrase format
85 \$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
86 Maximum passphrase length
88 unlimited
89 Hash size
91 256 bits
92 Salt size
94 up to 512 bits
95 CPU time cost parameter
97 1 to 11 (logarithmic)
98 scrypt
100 scrypt is a password-based key derivation function created by Colin
101 Percival, originally for the Tarsnap online backup service. The algo‐
102 rithm was specifically designed to make it costly to perform large-
103 scale custom hardware attacks by requiring large amounts of memory. In
104 2016, the scrypt algorithm was published by IETF as RFC 7914.
105 prefix "$7$"
107 Hashed passphrase format
109 \$7\$[./A-Za-z0-9]{11,97}\$[./A-Za-z0-9]{43}
110 Maximum passphrase length
112 unlimited
113 Hash size
115 256 bits
116 Salt size
118 up to 512 bits
119 CPU time cost parameter
121 6 to 11 (logarithmic)
122 bcrypt
124 A hash based on the Blowfish block cipher, modified to have an extra-
125 expensive key schedule. Originally developed by Niels Provos and David
126 Mazieres for OpenBSD and also supported on recent versions of FreeBSD
127 and NetBSD, on Solaris 10 and newer, and on several GNU/*/Linux distri‐
128 butions.
129 prefix "$2b$"
131 Hashed passphrase format
133 \$2[abxy]\$[0-9]{2}\$[./A-Za-z0-9]{53}
134 Maximum passphrase length
136 72 characters
137 Hash size
139 184 bits
140 Salt size
142 128 bits
143 CPU time cost parameter
145 4 to 31 (logarithmic)
146 The alternative prefix "$2y$" is equivalent to "$2b$". It exists for
148 historical reasons only. The alternative prefixes "$2a$" and "$2x$"
149 provide bug-compatibility with crypt_blowfish 1.0.4 and earlier, which
150 incorrectly processed characters with the 8th bit set.
151 SHA-2-512
153 A hash based on SHA-2 with 512-bit output, originally developed by
154 Ulrich Drepper for GNU libc. Supported on Linux but not common else‐
155 where. Acceptable for new hashes. The default CPU time cost parameter
156 is 5000, which is too low for modern hardware.
157 prefix "$6$"
159 Hashed passphrase format
161 \$6\$(rounds=[1-9][0-9]+\$)?[./0-9A-Za-z]{1,16}\$[./0-9A-Za-
162 z]{86}
163 Maximum passphrase length
165 unlimited
166 Hash size
168 512 bits
169 Salt size
171 6 to 96 bits
172 CPU time cost parameter
174 1000 to 999,999,999
175 SHA-2-256
177 A hash based on SHA-2 with 256-bit output, originally developed by
178 Ulrich Drepper for GNU libc. Supported on Linux but not common else‐
179 where. Acceptable for new hashes. The default CPU time cost parameter
180 is 5000, which is too low for modern hardware.
181 prefix "$5$"
183 Hashed passphrase format
185 \$5\$(rounds=[1-9][0-9]+\$)?[./0-9A-Za-z]{1,16}\$[./0-9A-Za-
186 z]{43}
187 Maximum passphrase length
189 unlimited
190 Hash size
192 256 bits
193 Salt size
195 6 to 96 bits
196 CPU time cost parameter
198 1000 to 999,999,999
199 SHA-1
201 A hash based on HMAC-SHA1. Originally developed by Simon Gerraty for
202 NetBSD. Not as weak as the DES-based hashes below, but SHA1 is so
203 cheap on modern hardware that it should not be used for new hashes.
204 prefix "$sha1"
206 Hashed passphrase format
208 \$sha1\$[1-9][0-9]+\$[./0-9A-Za-z]{1,64}\$[./0-9A-Za-
209 z]{8,64}[./0-9A-Za-z]{32}
210 Maximum passphrase length
212 unlimited
213 Hash size
215 160 bits
216 Salt size
218 6 to 384 bits
219 CPU time cost parameter
221 4 to 4,294,967,295
222 MD5 (Sun)
224 A hash based on the MD5 algorithm, with additional cleverness to make
225 precomputation difficult, originally developed by Alec David Muffet for
226 Solaris. Not adopted elsewhere, to our knowledge. Not as weak as the
227 DES-based hashes below, but MD5 is so cheap on modern hardware that it
228 should not be used for new hashes.
229 prefix "$md5"
231 Hashed passphrase format
233 \$md5(,rounds=[1-9][0-9]+)?\$[./0-9A-Za-z]{8}\${1,2}[./0-9A-Za-
234 z]{22}
235 Maximum passphrase length
237 unlimited
238 Hash size
240 128 bits
241 Salt size
243 48 bits
244 CPU time cost parameter
246 4096 to 4,294,963,199
247 MD5 (FreeBSD)
249 A hash based on the MD5 algorithm, originally developed by Poul-Henning
250 Kamp for FreeBSD. Supported on most free Unixes and newer versions of
251 Solaris. Not as weak as the DES-based hashes below, but MD5 is so
252 cheap on modern hardware that it should not be used for new hashes.
253 CPU time cost is not adjustable.
254 prefix "$1$"
256 Hashed passphrase format
258 \$1\$[^$]{1,8}\$[./0-9A-Za-z]{22}
259 Maximum passphrase length
261 unlimited
262 Hash size
264 128 bits
265 Salt size
267 6 to 48 bits
268 CPU time cost parameter
270 1000
271 BSDI extended DES
273 A weak extension of traditional DES, which eliminates the length limit,
274 increases the salt size, and makes the time cost tunable. It origi‐
275 nates with BSDI and is also available on at least NetBSD, OpenBSD, and
276 FreeBSD due to the use of David Burren's FreeSec library. It is better
277 than bigcrypt and traditional DES, but still should not be used for new
278 hashes.
279 prefix "_"
281 Hashed passphrase format
283 _[./0-9A-Za-z]{19}
284 Maximum passphrase length
286 unlimited (ignores 8th bit)
287 Hash size
289 64 bits
290 Effective key size
293 56 bits
294 Salt size
296 24 bits
297 CPU time cost parameter
299 1 to 16,777,215 (must be odd)
300 bigcrypt
302 A weak extension of traditional DES, available on some System V-derived
303 Unixes. All it does is raise the length limit from 8 to 128 charac‐
304 ters, and it does this in a crude way that allows attackers to guess
305 chunks of a long passphrase in parallel. It should not be used for new
306 hashes.
307 prefix "" (empty string)
309 Hashed passphrase format
311 [./0-9A-Za-z]{13,178}
312 Maximum passphrase length
314 128 characters (ignores 8th bit)
315 Hash size
317 up to 1024 bits
318 Effective key size
321 up to 896 bits
322 Salt size
324 12 bits
325 CPU time cost parameter
327 25
328 Traditional DES-based
330 The original hashing method from Unix V7, based on the DES block
331 cipher. Because DES is cheap on modern hardware, because there are
332 only 4096 possible salts and 2**56 possible hashes, and because it
333 truncates passphrases to 8 characters, it is feasible to discover any
334 passphrase hashed with this method. It should only be used if you
335 absolutely have to generate hashes that will work on an old operating
336 system that supports nothing else.
337 prefix "" (empty string)
339 Hashed passphrase format
341 [./0-9A-Za-z]{13}
342 Maximum passphrase length
344 8 characters (ignores 8th bit)
345 Hash size
347 64 bits
348 Effective key size
351 56 bits
352 Salt size
354 12 bits
355 CPU time cost parameter
357 25
358 NTHASH
360 The hashing method used for network authentication in some versions of
361 the SMB/CIFS protocol. Available, for cross-compatibility's sake, on
362 FreeBSD. Based on MD4. Has no salt or tunable cost parameter. Like
363 traditional DES, it is so weak that any passphrase hashed with this
364 method is guessable. It should only be used if you absolutely have to
365 generate hashes that will work on an old operating system that supports
366 nothing else.
367 prefix "$3$"
369 Hashed passphrase format
371 \$3\$\$[0-9a-f]{32}
372 Maximum passphrase length
374 unlimited
375 Hash size
377 256 bits
378 Salt size
380 0 bits
381 CPU time cost parameter
383 1
384
386 crypt(3), crypt_gensalt(3), getpwent(3), passwd(5), shadow(5), pam(8)
387 Niels Provos and David Mazieres. A Future-Adaptable Password Scheme.
389 Proceedings of the 1999 USENIX Annual Technical Conference, June 1999.
390 https://www.usenix.org/events/usenix99/provos.html
391 Robert Morris and Ken Thompson. Password Security: A Case History.
393 Communications of the ACM, Volume 22, Issue 11, 1979.
394 http://wolfram.schneider.org/bsd/7thEdManVol2/password/password.pdf
395Openwall Project October 11, 2017 CRYPT(5)