1CRYPT(5)                    BSD File Formats Manual                   CRYPT(5)
2

NAME

4     crypt — storage format for hashed passphrases and available hashing meth‐
5     ods
6

DESCRIPTION

8     The hashing methods implemented by crypt(3) are designed only to process
9     user passphrases for storage and authentication; they are not suitable
10     for use as general-purpose cryptographic hashes.
11
12     Passphrase hashing is not a replacement for strong passphrases.  It is
13     always possible for an attacker with access to the hashed passphrases to
14     guess and check possible cleartext passphrases.  However, with a strong
15     hashing method, guessing will be too slow for the attacker to discover a
16     strong passphrase.
17
18     All of the hashing methods use a “salt” to perturb the hash function, so
19     that the same passphrase may produce many possible hashes.  Newer methods
20     accept longer salt strings.  The salt should be chosen at random for each
21     user.  Salt defeats a number of attacks:
22
23     1.   It is not possible to hash a passphrase once and then test it
24          against each account's stored hash; the hash calculation must be re‐
25          peated for each account.
26
27     2.   It is not possible to tell whether two accounts use the same
28          passphrase without successfully guessing one of the phrases.
29
30     3.   Tables of precalculated hashes of commonly used passphrases must
31          have an entry for each possible salt, which makes them impractically
32          large.
33
34     All of the hashing methods are also deliberately engineered to be slow;
35     they use many iterations of an underlying cryptographic primitive to in‐
36     crease the cost of each guess.  The newer hashing methods allow the num‐
37     ber of iterations to be adjusted, using the “CPU time cost” parameter to
38     crypt_gensalt(3).  This makes it possible to keep the hash slow as hard‐
39     ware improves.
40

FORMAT OF HASHED PASSPHRASES

42     All of the hashing methods supported by crypt(3) produce a hashed
43     passphrase which consists of four components: prefix, options, salt, and
44     hash.  The prefix controls which hashing method is to be used, and is the
45     appropriate string to pass to crypt_gensalt(3) to select that method.
46     The contents of options, salt, and hash are up to the method.  Depending
47     on the method, the prefix and options components may be empty.
48
49     The setting argument to crypt(3) must begin with the first three compo‐
50     nents of a valid hashed passphrase, but anything after that is ignored.
51     This makes authentication simple: hash the input passphrase using the
52     stored passphrase as the setting, and then compare the result to the
53     stored passphrase.
54
55     Hashed passphrases are always entirely printable ASCII, and do not con‐
56     tain any whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’.  (These
57     characters are used as delimiters and special markers in the passwd(5)
58     and shadow(5) files.)
59
60     The syntax of each component of a hashed passphrase is up to the hashing
61     method.  ‘$’ characters usually delimit components, and the salt and hash
62     are usually encoded as numerals in base 64.  The details of this base-64
63     encoding vary among hashing methods.  The common “base64” encoding speci‐
64     fied by RFC 4648 is usually not used.
65

AVAILABLE HASHING METHODS

67     This is a list of all the hashing methods supported by crypt(3), in de‐
68     creasing order of strength.  Many of the older methods are now considered
69     too weak to use for new passphrases.  The hashed passphrase format is ex‐
70     pressed with extended regular expressions (see regex(7)) and does not
71     show the division into prefix, options, salt, and hash.
72
73   yescrypt
74     yescrypt is a scalable passphrase hashing scheme designed by Solar De‐
75     signer, which is based on Colin Percival's scrypt.  Recommended for new
76     hashes.
77
78     Prefix
79         "$y$"
80
81     Hashed passphrase format
82         \$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
83
84     Maximum passphrase length
85         unlimited
86
87     Hash size
88         256 bits
89
90     Salt size
91         up to 512 (128+ recommended) bits
92
93     CPU time cost parameter
94         1 to 11 (logarithmic)
95
96   gost-yescrypt
97     gost-yescrypt uses the output from the yescrypt hashing method in place
98     of a hmac message.  Thus, the yescrypt crypto properties are superseded
99     by the GOST R 34.11-2012 (Streebog) hash function with a 256 bit digest.
100     This hashing method is useful in applications that need modern passphrase
101     hashing methods, but require to rely on the cryptographic properties of
102     GOST algorithms.  The GOST R 34.11-2012 (Streebog) hash function has been
103     published by the IETF as RFC 6986.  Recommended for new hashes.
104
105     Prefix
106         "$gy$"
107
108     Hashed passphrase format
109         \$gy\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
110
111     Maximum passphrase length
112         unlimited
113
114     Hash size
115         256 bits
116
117     Salt size
118         up to 512 (128+ recommended) bits
119
120     CPU time cost parameter
121         1 to 11 (logarithmic)
122
123   scrypt
124     scrypt is a password-based key derivation function created by Colin Per‐
125     cival, originally for the Tarsnap online backup service.  The algorithm
126     was specifically designed to make it costly to perform large-scale custom
127     hardware attacks by requiring large amounts of memory.  In 2016, the
128     scrypt algorithm was published by IETF as RFC 7914.
129
130     Prefix
131         "$7$"
132
133     Hashed passphrase format
134         \$7\$[./A-Za-z0-9]{11,97}\$[./A-Za-z0-9]{43}
135
136     Maximum passphrase length
137         unlimited
138
139     Hash size
140         256 bits
141
142     Salt size
143         up to 512 (128+ recommended) bits
144
145     CPU time cost parameter
146         6 to 11 (logarithmic)
147
148   bcrypt
149     A hash based on the Blowfish block cipher, modified to have an extra-ex‐
150     pensive key schedule.  Originally developed by Niels Provos and David
151     Mazieres for OpenBSD and also supported on recent versions of FreeBSD and
152     NetBSD, on Solaris 10 and newer, and on several GNU/*/Linux distribu‐
153     tions.
154
155     Prefix
156         "$2b$"
157
158     Hashed passphrase format
159         \$2[abxy]\$[0-9]{2}\$[./A-Za-z0-9]{53}
160
161     Maximum passphrase length
162         72 characters
163
164     Hash size
165         184 bits
166
167     Salt size
168         128 bits
169
170     CPU time cost parameter
171         4 to 31 (logarithmic)
172
173     The alternative prefix "$2y$" is equivalent to "$2b$".  It exists for
174     historical reasons only.  The alternative prefixes "$2a$" and "$2x$" pro‐
175     vide bug-compatibility with crypt_blowfish 1.0.4 and earlier, which in‐
176     correctly processed characters with the 8th bit set.
177
178   sha512crypt
179     A hash based on SHA-2 with 512-bit output, originally developed by Ulrich
180     Drepper for GNU libc.  Supported on Linux but not common elsewhere.  Ac‐
181     ceptable for new hashes.  The default CPU time cost parameter is 5000,
182     which is too low for modern hardware.
183
184     Prefix
185         "$6$"
186
187     Hashed passphrase format
188         \$6\$(rounds=[1-9][0-9]+\$)?[^$:\n]{1,16}\$[./0-9A-Za-z]{86}
189
190     Maximum passphrase length
191         unlimited
192
193     Hash size
194         512 bits
195
196     Salt size
197         6 to 96 bits
198
199     CPU time cost parameter
200         1000 to 999,999,999
201
202   sha256crypt
203     A hash based on SHA-2 with 256-bit output, originally developed by Ulrich
204     Drepper for GNU libc.  Supported on Linux but not common elsewhere.  Ac‐
205     ceptable for new hashes.  The default CPU time cost parameter is 5000,
206     which is too low for modern hardware.
207
208     Prefix
209         "$5$"
210
211     Hashed passphrase format
212         \$5\$(rounds=[1-9][0-9]+\$)?[^$:\n]{1,16}\$[./0-9A-Za-z]{43}
213
214     Maximum passphrase length
215         unlimited
216
217     Hash size
218         256 bits
219
220     Salt size
221         6 to 96 bits
222
223     CPU time cost parameter
224         1000 to 999,999,999
225
226   sha1crypt
227     A hash based on HMAC-SHA1.  Originally developed by Simon Gerraty for
228     NetBSD.  Not as weak as the DES-based hashes below, but SHA1 is so cheap
229     on modern hardware that it should not be used for new hashes.
230
231     Prefix
232         "$sha1"
233
234     Hashed passphrase format
235         \$sha1\$[1-9][0-9]+\$[./0-9A-Za-z]{1,64}\$[./0-9A-Za-z]{8,64}[./0-9A-
236         Za-z]{32}
237
238     Maximum passphrase length
239         unlimited
240
241     Hash size
242         160 bits
243
244     Salt size
245         6 to 384 bits
246
247     CPU time cost parameter
248         4 to 4,294,967,295
249
250   SunMD5
251     A hash based on the MD5 algorithm, with additional cleverness to make
252     precomputation difficult, originally developed by Alec David Muffet for
253     Solaris.  Not adopted elsewhere, to our knowledge.  Not as weak as the
254     DES-based hashes below, but MD5 is so cheap on modern hardware that it
255     should not be used for new hashes.
256
257     Prefix
258         "$md5"
259
260     Hashed passphrase format
261         \$md5(,rounds=[1-9][0-9]+)?\$[./0-9A-Za-z]{8}\${1,2}[./0-9A-Za-z]{22}
262
263
264     Maximum passphrase length
265         unlimited
266
267     Hash size
268         128 bits
269
270     Salt size
271         48 bits
272
273     CPU time cost parameter
274         4096 to 4,294,963,199
275
276   md5crypt
277     A hash based on the MD5 algorithm, originally developed by Poul-Henning
278     Kamp for FreeBSD.  Supported on most free Unixes and newer versions of
279     Solaris.  Not as weak as the DES-based hashes below, but MD5 is so cheap
280     on modern hardware that it should not be used for new hashes.  CPU time
281     cost is not adjustable.
282
283     Prefix
284         "$1$"
285
286     Hashed passphrase format
287         \$1\$[^$:\n]{1,8}\$[./0-9A-Za-z]{22}
288
289     Maximum passphrase length
290         unlimited
291
292     Hash size
293         128 bits
294
295     Salt size
296         6 to 48 bits
297
298     CPU time cost parameter
299         1000
300
301   bsdicrypt (BSDI extended DES)
302     A weak extension of traditional DES, which eliminates the length limit,
303     increases the salt size, and makes the time cost tunable.  It originates
304     with BSDI and is also available on at least NetBSD, OpenBSD, and FreeBSD
305     due to the use of David Burren's FreeSec library.  It is better than
306     bigcrypt and traditional DES, but still should not be used for new
307     hashes.
308
309     Prefix
310         "_"
311
312     Hashed passphrase format
313         _[./0-9A-Za-z]{19}
314
315     Maximum passphrase length
316         unlimited (ignores 8th bit)
317
318     Hash size
319         64 bits
320
321     Effective key size
322         56 bits
323
324     Salt size
325         24 bits
326
327     CPU time cost parameter
328         1 to 16,777,215 (must be odd)
329
330   bigcrypt
331     A weak extension of traditional DES, available on some System V-derived
332     Unixes.  All it does is raise the length limit from 8 to 128 characters,
333     and it does this in a crude way that allows attackers to guess chunks of
334     a long passphrase in parallel.  It should not be used for new hashes.
335
336     Prefix
337         "" (empty string)
338
339     Hashed passphrase format
340         [./0-9A-Za-z]{13,178}
341
342     Maximum passphrase length
343         128 characters (ignores 8th bit)
344
345     Hash size
346         up to 1024 bits
347
348     Effective key size
349         up to 896 bits
350
351     Salt size
352         12 bits
353
354     CPU time cost parameter
355         25
356
357   descrypt (Traditional DES)
358     The original hashing method from Unix V7, based on the DES block cipher.
359     Because DES is cheap on modern hardware, because there are only 4096 pos‐
360     sible salts and 2**56 possible hashes, and because it truncates
361     passphrases to 8 characters, it is feasible to discover any passphrase
362     hashed with this method.  It should only be used if you absolutely have
363     to generate hashes that will work on an old operating system that sup‐
364     ports nothing else.
365
366     Prefix
367         "" (empty string)
368
369     Hashed passphrase format
370         [./0-9A-Za-z]{13}
371
372     Maximum passphrase length
373         8 characters (ignores 8th bit)
374
375     Hash size
376         64 bits
377
378     Effective key size
379         56 bits
380
381     Salt size
382         12 bits
383
384     CPU time cost parameter
385         25
386
387   NT
388     The hashing method used for network authentication in some versions of
389     the SMB/CIFS protocol.  Available, for cross-compatibility's sake, on
390     FreeBSD.  Based on MD4.  Has no salt or tunable cost parameter.  Like
391     traditional DES, it is so weak that any passphrase hashed with this
392     method is guessable.  It should only be used if you absolutely have to
393     generate hashes that will work on an old operating system that supports
394     nothing else.
395
396     Prefix
397         "$3$"
398
399     Hashed passphrase format
400         \$3\$\$[0-9a-f]{32}
401
402     Maximum passphrase length
403         unlimited
404
405     Hash size
406         256 bits
407
408     Salt size
409         0 bits
410
411     CPU time cost parameter
412         1
413

SEE ALSO

415     crypt(3), crypt_gensalt(3), getpwent(3), passwd(5), shadow(5), pam(8)
416
417     Niels Provos and David Mazieres, “A Future-Adaptable Password Scheme”,
418     Proceedings of the 1999 USENIX Annual Technical Conference,
419     https://www.usenix.org/events/usenix99/provos.html, June 1999.
420
421     Robert Morris and Ken Thompson, “Password Security: A Case History”,
422     Communications of the ACM, 11, 22,
423     http://wolfram.schneider.org/bsd/7thEdManVol2/password/password.pdf,
424     1979.
425
426Openwall Project               October 11, 2017               Openwall Project
Impressum