1CRYPT(5) BSD File Formats Manual CRYPT(5)
2
4 crypt — storage format for hashed passphrases and available hashing meth‐
5 ods
6
8 The hashing methods implemented by crypt(3) are designed only to process
9 user passphrases for storage and authentication; they are not suitable
10 for use as general-purpose cryptographic hashes.
11 Passphrase hashing is not a replacement for strong passphrases. It is
13 always possible for an attacker with access to the hashed passphrases to
14 guess and check possible cleartext passphrases. However, with a strong
15 hashing method, guessing will be too slow for the attacker to discover a
16 strong passphrase.
17 All of the hashing methods use a “salt” to perturb the hash function, so
19 that the same passphrase may produce many possible hashes. Newer methods
20 accept longer salt strings. The salt should be chosen at random for each
21 user. Salt defeats a number of attacks:
22 1. It is not possible to hash a passphrase once and then test it
24 against each account's stored hash; the hash calculation must be
25 repeated for each account.
26 2. It is not possible to tell whether two accounts use the same
28 passphrase without successfully guessing one of the phrases.
29 3. Tables of precalculated hashes of commonly used passphrases must
31 have an entry for each possible salt, which makes them impractically
32 large.
33 All of the hashing methods are also deliberately engineered to be slow;
35 they use many iterations of an underlying cryptographic primitive to
36 increase the cost of each guess. The newer hashing methods allow the
37 number of iterations to be adjusted, using the “CPU time cost” parameter
38 to crypt_gensalt(3). This makes it possible to keep the hash slow as
39 hardware improves.
40
42 All of the hashing methods supported by crypt(3) produce a hashed
43 passphrase which consists of four components: prefix, options, salt, and
44 hash. The prefix controls which hashing method is to be used, and is the
45 appropriate string to pass to crypt_gensalt(3) to select that method.
46 The contents of options, salt, and hash are up to the method. Depending
47 on the method, the prefix and options components may be empty.
48 The setting argument to crypt(3) must begin with the first three compo‐
50 nents of a valid hashed passphrase, but anything after that is ignored.
51 This makes authentication simple: hash the input passphrase using the
52 stored passphrase as the setting, and then compare the result to the
53 stored passphrase.
54 Hashed passphrases are always entirely printable ASCII, and do not con‐
56 tain any whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’. (These
57 characters are used as delimiters and special markers in the passwd(5)
58 and shadow(5) files.)
59 The syntax of each component of a hashed passphrase is up to the hashing
61 method. ‘$’ characters usually delimit components, and the salt and hash
62 are usually encoded as numerals in base 64. The details of this base-64
63 encoding vary among hashing methods. The common “base64” encoding speci‐
64 fied by RFC 4648 is usually not used.
65
67 This is a list of all the hashing methods supported by crypt(3), in
68 decreasing order of strength. Many of the older methods are now consid‐
69 ered too weak to use for new passphrases. The hashed passphrase format
70 is expressed with extended regular expressions (see regex(7)) and does
71 not show the division into prefix, options, salt, and hash.
72 yescrypt
74 yescrypt is a scalable passphrase hashing scheme designed by Solar
75 Designer, which is based on Colin Percival's scrypt. Recommended for new
76 hashes.
77 Prefix
79 "$y$"
80 Hashed passphrase format
82 \$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
83 Maximum passphrase length
85 unlimited
86 Hash size
88 256 bits
89 Salt size
91 up to 512 bits
92 CPU time cost parameter
94 1 to 11 (logarithmic)
95 gost-yescrypt
97 gost-yescrypt uses the output from the yescrypt hashing method in place
98 of a hmac message. Thus, the yescrypt crypto properties are superseded
99 by the GOST R 34.11-2012 (Streebog) hash function with a 256 bit digest.
100 This hashing method is useful in applications that need modern passphrase
101 hashing methods, but require to rely on the cryptographic properties of
102 GOST algorithms. The GOST R 34.11-2012 (Streebog) hash function has been
103 published by the IETF as RFC 6986. Recommended for new hashes.
104 Prefix
106 "$gy$"
107 Hashed passphrase format
109 \$gy\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
110 Maximum passphrase length
112 unlimited
113 Hash size
115 256 bits
116 Salt size
118 up to 512 bits
119 CPU time cost parameter
121 1 to 11 (logarithmic)
122 scrypt
124 scrypt is a password-based key derivation function created by Colin Per‐
125 cival, originally for the Tarsnap online backup service. The algorithm
126 was specifically designed to make it costly to perform large-scale custom
127 hardware attacks by requiring large amounts of memory. In 2016, the
128 scrypt algorithm was published by IETF as RFC 7914.
129 Prefix
131 "$7$"
132 Hashed passphrase format
134 \$7\$[./A-Za-z0-9]{11,97}\$[./A-Za-z0-9]{43}
135 Maximum passphrase length
137 unlimited
138 Hash size
140 256 bits
141 Salt size
143 up to 512 bits
144 CPU time cost parameter
146 6 to 11 (logarithmic)
147 bcrypt
149 A hash based on the Blowfish block cipher, modified to have an extra-
150 expensive key schedule. Originally developed by Niels Provos and David
151 Mazieres for OpenBSD and also supported on recent versions of FreeBSD and
152 NetBSD, on Solaris 10 and newer, and on several GNU/*/Linux distribu‐
153 tions.
154 Prefix
156 "$2b$"
157 Hashed passphrase format
159 \$2[abxy]\$[0-9]{2}\$[./A-Za-z0-9]{53}
160 Maximum passphrase length
162 72 characters
163 Hash size
165 184 bits
166 Salt size
168 128 bits
169 CPU time cost parameter
171 4 to 31 (logarithmic)
172 The alternative prefix "$2y$" is equivalent to "$2b$". It exists for
174 historical reasons only. The alternative prefixes "$2a$" and "$2x$" pro‐
175 vide bug-compatibility with crypt_blowfish 1.0.4 and earlier, which
176 incorrectly processed characters with the 8th bit set.
177 sha512crypt
179 A hash based on SHA-2 with 512-bit output, originally developed by Ulrich
180 Drepper for GNU libc. Supported on Linux but not common elsewhere.
181 Acceptable for new hashes. The default CPU time cost parameter is 5000,
182 which is too low for modern hardware.
183 Prefix
185 "$6$"
186 Hashed passphrase format
188 \$6\$(rounds=[1-9][0-9]+\$)?[^$:\n]{1,16}\$[./0-9A-Za-z]{86}
189 Maximum passphrase length
191 unlimited
192 Hash size
194 512 bits
195 Salt size
197 6 to 96 bits
198 CPU time cost parameter
200 1000 to 999,999,999
201 sha256crypt
203 A hash based on SHA-2 with 256-bit output, originally developed by Ulrich
204 Drepper for GNU libc. Supported on Linux but not common elsewhere.
205 Acceptable for new hashes. The default CPU time cost parameter is 5000,
206 which is too low for modern hardware.
207 Prefix
209 "$5$"
210 Hashed passphrase format
212 \$5\$(rounds=[1-9][0-9]+\$)?[^$:\n]{1,16}\$[./0-9A-Za-z]{43}
213 Maximum passphrase length
215 unlimited
216 Hash size
218 256 bits
219 Salt size
221 6 to 96 bits
222 CPU time cost parameter
224 1000 to 999,999,999
225 sha1crypt
227 A hash based on HMAC-SHA1. Originally developed by Simon Gerraty for
228 NetBSD. Not as weak as the DES-based hashes below, but SHA1 is so cheap
229 on modern hardware that it should not be used for new hashes.
230 Prefix
232 "$sha1"
233 Hashed passphrase format
235 \$sha1\$[1-9][0-9]+\$[./0-9A-Za-z]{1,64}\$[./0-9A-Za-z]{8,64}[./0-9A-
236 Za-z]{32}
237 Maximum passphrase length
239 unlimited
240 Hash size
242 160 bits
243 Salt size
245 6 to 384 bits
246 CPU time cost parameter
248 4 to 4,294,967,295
249 SunMD5
251 A hash based on the MD5 algorithm, with additional cleverness to make
252 precomputation difficult, originally developed by Alec David Muffet for
253 Solaris. Not adopted elsewhere, to our knowledge. Not as weak as the
254 DES-based hashes below, but MD5 is so cheap on modern hardware that it
255 should not be used for new hashes.
256 Prefix
258 "$md5"
259 Hashed passphrase format
261 \$md5(,rounds=[1-9][0-9]+)?\$[./0-9A-Za-z]{8}\${1,2}[./0-9A-Za-z]{22}
262 Maximum passphrase length
265 unlimited
266 Hash size
268 128 bits
269 Salt size
271 48 bits
272 CPU time cost parameter
274 4096 to 4,294,963,199
275 md5crypt
277 A hash based on the MD5 algorithm, originally developed by Poul-Henning
278 Kamp for FreeBSD. Supported on most free Unixes and newer versions of
279 Solaris. Not as weak as the DES-based hashes below, but MD5 is so cheap
280 on modern hardware that it should not be used for new hashes. CPU time
281 cost is not adjustable.
282 Prefix
284 "$1$"
285 Hashed passphrase format
287 \$1\$[^$:\n]{1,8}\$[./0-9A-Za-z]{22}
288 Maximum passphrase length
290 unlimited
291 Hash size
293 128 bits
294 Salt size
296 6 to 48 bits
297 CPU time cost parameter
299 1000
300 bsdicrypt (BSDI extended DES)
302 A weak extension of traditional DES, which eliminates the length limit,
303 increases the salt size, and makes the time cost tunable. It originates
304 with BSDI and is also available on at least NetBSD, OpenBSD, and FreeBSD
305 due to the use of David Burren's FreeSec library. It is better than
306 bigcrypt and traditional DES, but still should not be used for new
307 hashes.
308 Prefix
310 "_"
311 Hashed passphrase format
313 _[./0-9A-Za-z]{19}
314 Maximum passphrase length
316 unlimited (ignores 8th bit)
317 Hash size
319 64 bits
320 Effective key size
322 56 bits
323 Salt size
325 24 bits
326 CPU time cost parameter
328 1 to 16,777,215 (must be odd)
329 bigcrypt
331 A weak extension of traditional DES, available on some System V-derived
332 Unixes. All it does is raise the length limit from 8 to 128 characters,
333 and it does this in a crude way that allows attackers to guess chunks of
334 a long passphrase in parallel. It should not be used for new hashes.
335 Prefix
337 "" (empty string)
338 Hashed passphrase format
340 [./0-9A-Za-z]{13,178}
341 Maximum passphrase length
343 128 characters (ignores 8th bit)
344 Hash size
346 up to 1024 bits
347 Effective key size
349 up to 896 bits
350 Salt size
352 12 bits
353 CPU time cost parameter
355 25
356 descrypt (Traditional DES)
358 The original hashing method from Unix V7, based on the DES block cipher.
359 Because DES is cheap on modern hardware, because there are only 4096 pos‐
360 sible salts and 2**56 possible hashes, and because it truncates
361 passphrases to 8 characters, it is feasible to discover any passphrase
362 hashed with this method. It should only be used if you absolutely have
363 to generate hashes that will work on an old operating system that sup‐
364 ports nothing else.
365 Prefix
367 "" (empty string)
368 Hashed passphrase format
370 [./0-9A-Za-z]{13}
371 Maximum passphrase length
373 8 characters (ignores 8th bit)
374 Hash size
376 64 bits
377 Effective key size
379 56 bits
380 Salt size
382 12 bits
383 CPU time cost parameter
385 25
386 NT
388 The hashing method used for network authentication in some versions of
389 the SMB/CIFS protocol. Available, for cross-compatibility's sake, on
390 FreeBSD. Based on MD4. Has no salt or tunable cost parameter. Like
391 traditional DES, it is so weak that any passphrase hashed with this
392 method is guessable. It should only be used if you absolutely have to
393 generate hashes that will work on an old operating system that supports
394 nothing else.
395 Prefix
397 "$3$"
398 Hashed passphrase format
400 \$3\$\$[0-9a-f]{32}
401 Maximum passphrase length
403 unlimited
404 Hash size
406 256 bits
407 Salt size
409 0 bits
410 CPU time cost parameter
412 1
413
415 crypt(3), crypt_gensalt(3), getpwent(3), passwd(5), shadow(5), pam(8)
416 Niels Provos and David Mazieres, "A Future-Adaptable Password Scheme",
418 Proceedings of the 1999 USENIX Annual Technical Conference,
419 https://www.usenix.org/events/usenix99/provos.html, June 1999.
420 Robert Morris and Ken Thompson, "Password Security: A Case History",
422 Communications of the ACM, 11, 22,
423 http://wolfram.schneider.org/bsd/7thEdManVol2/password/password.pdf,
424 1979.
425Openwall Project October 11, 2017 Openwall Project