1CRYPT(5) BSD File Formats Manual CRYPT(5)
2
4 crypt — storage format for hashed passphrases and available hashing meth‐
5 ods
6
8 The hashing methods implemented by crypt(3) are designed only to process
9 user passphrases for storage and authentication; they are not suitable
10 for use as general-purpose cryptographic hashes.
11
12 Passphrase hashing is not a replacement for strong passphrases. It is
13 always possible for an attacker with access to the hashed passphrases to
14 guess and check possible cleartext passphrases. However, with a strong
15 hashing method, guessing will be too slow for the attacker to discover a
16 strong passphrase.
17
18 All of the hashing methods use a “salt” to perturb the hash function, so
19 that the same passphrase may produce many possible hashes. Newer methods
20 accept longer salt strings. The salt should be chosen at random for each
21 user. Salt defeats a number of attacks:
22
23 1. It is not possible to hash a passphrase once and then test it
24 against each account's stored hash; the hash calculation must be re‐
25 peated for each account.
26
27 2. It is not possible to tell whether two accounts use the same
28 passphrase without successfully guessing one of the phrases.
29
30 3. Tables of precalculated hashes of commonly used passphrases must
31 have an entry for each possible salt, which makes them impractically
32 large.
33
34 All of the hashing methods are also deliberately engineered to be slow;
35 they use many iterations of an underlying cryptographic primitive to in‐
36 crease the cost of each guess. The newer hashing methods allow the num‐
37 ber of iterations to be adjusted, using the “CPU time cost” parameter to
38 crypt_gensalt(3). This makes it possible to keep the hash slow as hard‐
39 ware improves.
40
42 All of the hashing methods supported by crypt(3) produce a hashed
43 passphrase which consists of four components: prefix, options, salt, and
44 hash. The prefix controls which hashing method is to be used, and is the
45 appropriate string to pass to crypt_gensalt(3) to select that method.
46 The contents of options, salt, and hash are up to the method. Depending
47 on the method, the prefix and options components may be empty.
48
49 The setting argument to crypt(3) must begin with the first three compo‐
50 nents of a valid hashed passphrase, but anything after that is ignored.
51 This makes authentication simple: hash the input passphrase using the
52 stored passphrase as the setting, and then compare the result to the
53 stored passphrase.
54
55 Hashed passphrases are always entirely printable ASCII, and do not con‐
56 tain any whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’. (These
57 characters are used as delimiters and special markers in the passwd(5)
58 and shadow(5) files.)
59
60 The syntax of each component of a hashed passphrase is up to the hashing
61 method. ‘$’ characters usually delimit components, and the salt and hash
62 are usually encoded as numerals in base 64. The details of this base-64
63 encoding vary among hashing methods. The common “base64” encoding speci‐
64 fied by RFC 4648 is usually not used.
65
67 This is a list of all the hashing methods supported by crypt(3), in de‐
68 creasing order of strength. Many of the older methods are now considered
69 too weak to use for new passphrases. The hashed passphrase format is ex‐
70 pressed with extended regular expressions (see regex(7)) and does not
71 show the division into prefix, options, salt, and hash.
72
73 yescrypt
74 yescrypt is a scalable passphrase hashing scheme designed by Solar De‐
75 signer, which is based on Colin Percival's scrypt. Recommended for new
76 hashes.
77
78 Prefix
79 "$y$"
80
81 Hashed passphrase format
82 \$y\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
83
84 Maximum passphrase length
85 unlimited
86
87 Hash size
88 256 bits
89
90 Salt size
91 up to 512 (128+ recommended) bits
92
93 CPU time cost parameter
94 1 to 11 (logarithmic)
95
96 gost-yescrypt
97 gost-yescrypt uses the output from the yescrypt hashing method in place
98 of a hmac message. Thus, the yescrypt crypto properties are superseded
99 by the GOST R 34.11-2012 (Streebog) hash function with a 256 bit digest.
100 This hashing method is useful in applications that need modern passphrase
101 hashing methods, but require to rely on the cryptographic properties of
102 GOST algorithms. The GOST R 34.11-2012 (Streebog) hash function has been
103 published by the IETF as RFC 6986. Recommended for new hashes.
104
105 Prefix
106 "$gy$"
107
108 Hashed passphrase format
109 \$gy\$[./A-Za-z0-9]+\$[./A-Za-z0-9]{,86}\$[./A-Za-z0-9]{43}
110
111 Maximum passphrase length
112 unlimited
113
114 Hash size
115 256 bits
116
117 Salt size
118 up to 512 (128+ recommended) bits
119
120 CPU time cost parameter
121 1 to 11 (logarithmic)
122
123 scrypt
124 scrypt is a password-based key derivation function created by Colin Per‐
125 cival, originally for the Tarsnap online backup service. The algorithm
126 was specifically designed to make it costly to perform large-scale custom
127 hardware attacks by requiring large amounts of memory. In 2016, the
128 scrypt algorithm was published by IETF as RFC 7914.
129
130 Prefix
131 "$7$"
132
133 Hashed passphrase format
134 \$7\$[./A-Za-z0-9]{11,97}\$[./A-Za-z0-9]{43}
135
136 Maximum passphrase length
137 unlimited
138
139 Hash size
140 256 bits
141
142 Salt size
143 up to 512 (128+ recommended) bits
144
145 CPU time cost parameter
146 6 to 11 (logarithmic)
147
148 bcrypt
149 A hash based on the Blowfish block cipher, modified to have an extra-ex‐
150 pensive key schedule. Originally developed by Niels Provos and David
151 Mazieres for OpenBSD and also supported on recent versions of FreeBSD and
152 NetBSD, on Solaris 10 and newer, and on several GNU/*/Linux distribu‐
153 tions.
154
155 Prefix
156 "$2b$"
157
158 Hashed passphrase format
159 \$2[abxy]\$[0-9]{2}\$[./A-Za-z0-9]{53}
160
161 Maximum passphrase length
162 72 characters
163
164 Hash size
165 184 bits
166
167 Salt size
168 128 bits
169
170 CPU time cost parameter
171 4 to 31 (logarithmic)
172
173 The alternative prefix "$2y$" is equivalent to "$2b$". It exists for
174 historical reasons only. The alternative prefixes "$2a$" and "$2x$" pro‐
175 vide bug-compatibility with crypt_blowfish 1.0.4 and earlier, which in‐
176 correctly processed characters with the 8th bit set.
177
178 sha512crypt
179 A hash based on SHA-2 with 512-bit output, originally developed by Ulrich
180 Drepper for GNU libc. Supported on Linux but not common elsewhere. Ac‐
181 ceptable for new hashes. The default CPU time cost parameter is 5000,
182 which is too low for modern hardware.
183
184 Prefix
185 "$6$"
186
187 Hashed passphrase format
188 \$6\$(rounds=[1-9][0-9]+\$)?[^$:\n]{1,16}\$[./0-9A-Za-z]{86}
189
190 Maximum passphrase length
191 unlimited
192
193 Hash size
194 512 bits
195
196 Salt size
197 6 to 96 bits
198
199 CPU time cost parameter
200 1000 to 999,999,999
201
202 sha256crypt
203 A hash based on SHA-2 with 256-bit output, originally developed by Ulrich
204 Drepper for GNU libc. Supported on Linux but not common elsewhere. Ac‐
205 ceptable for new hashes. The default CPU time cost parameter is 5000,
206 which is too low for modern hardware.
207
208 Prefix
209 "$5$"
210
211 Hashed passphrase format
212 \$5\$(rounds=[1-9][0-9]+\$)?[^$:\n]{1,16}\$[./0-9A-Za-z]{43}
213
214 Maximum passphrase length
215 unlimited
216
217 Hash size
218 256 bits
219
220 Salt size
221 6 to 96 bits
222
223 CPU time cost parameter
224 1000 to 999,999,999
225
226 sha1crypt
227 A hash based on HMAC-SHA1. Originally developed by Simon Gerraty for
228 NetBSD. Not as weak as the DES-based hashes below, but SHA1 is so cheap
229 on modern hardware that it should not be used for new hashes.
230
231 Prefix
232 "$sha1"
233
234 Hashed passphrase format
235 \$sha1\$[1-9][0-9]+\$[./0-9A-Za-z]{1,64}\$[./0-9A-Za-z]{8,64}[./0-9A-
236 Za-z]{32}
237
238 Maximum passphrase length
239 unlimited
240
241 Hash size
242 160 bits
243
244 Salt size
245 6 to 384 bits
246
247 CPU time cost parameter
248 4 to 4,294,967,295
249
250 SunMD5
251 A hash based on the MD5 algorithm, with additional cleverness to make
252 precomputation difficult, originally developed by Alec David Muffet for
253 Solaris. Not adopted elsewhere, to our knowledge. Not as weak as the
254 DES-based hashes below, but MD5 is so cheap on modern hardware that it
255 should not be used for new hashes.
256
257 Prefix
258 "$md5"
259
260 Hashed passphrase format
261 \$md5(,rounds=[1-9][0-9]+)?\$[./0-9A-Za-z]{8}\${1,2}[./0-9A-Za-z]{22}
262
263
264 Maximum passphrase length
265 unlimited
266
267 Hash size
268 128 bits
269
270 Salt size
271 48 bits
272
273 CPU time cost parameter
274 4096 to 4,294,963,199
275
276 md5crypt
277 A hash based on the MD5 algorithm, originally developed by Poul-Henning
278 Kamp for FreeBSD. Supported on most free Unixes and newer versions of
279 Solaris. Not as weak as the DES-based hashes below, but MD5 is so cheap
280 on modern hardware that it should not be used for new hashes. CPU time
281 cost is not adjustable.
282
283 Prefix
284 "$1$"
285
286 Hashed passphrase format
287 \$1\$[^$:\n]{1,8}\$[./0-9A-Za-z]{22}
288
289 Maximum passphrase length
290 unlimited
291
292 Hash size
293 128 bits
294
295 Salt size
296 6 to 48 bits
297
298 CPU time cost parameter
299 1000
300
301 bsdicrypt (BSDI extended DES)
302 A weak extension of traditional DES, which eliminates the length limit,
303 increases the salt size, and makes the time cost tunable. It originates
304 with BSDI and is also available on at least NetBSD, OpenBSD, and FreeBSD
305 due to the use of David Burren's FreeSec library. It is better than
306 bigcrypt and traditional DES, but still should not be used for new
307 hashes.
308
309 Prefix
310 "_"
311
312 Hashed passphrase format
313 _[./0-9A-Za-z]{19}
314
315 Maximum passphrase length
316 unlimited (ignores 8th bit)
317
318 Hash size
319 64 bits
320
321 Effective key size
322 56 bits
323
324 Salt size
325 24 bits
326
327 CPU time cost parameter
328 1 to 16,777,215 (must be odd)
329
330 bigcrypt
331 A weak extension of traditional DES, available on some System V-derived
332 Unixes. All it does is raise the length limit from 8 to 128 characters,
333 and it does this in a crude way that allows attackers to guess chunks of
334 a long passphrase in parallel. It should not be used for new hashes.
335
336 Prefix
337 "" (empty string)
338
339 Hashed passphrase format
340 [./0-9A-Za-z]{13,178}
341
342 Maximum passphrase length
343 128 characters (ignores 8th bit)
344
345 Hash size
346 up to 1024 bits
347
348 Effective key size
349 up to 896 bits
350
351 Salt size
352 12 bits
353
354 CPU time cost parameter
355 25
356
357 descrypt (Traditional DES)
358 The original hashing method from Unix V7, based on the DES block cipher.
359 Because DES is cheap on modern hardware, because there are only 4096 pos‐
360 sible salts and 2**56 possible hashes, and because it truncates
361 passphrases to 8 characters, it is feasible to discover any passphrase
362 hashed with this method. It should only be used if you absolutely have
363 to generate hashes that will work on an old operating system that sup‐
364 ports nothing else.
365
366 Prefix
367 "" (empty string)
368
369 Hashed passphrase format
370 [./0-9A-Za-z]{13}
371
372 Maximum passphrase length
373 8 characters (ignores 8th bit)
374
375 Hash size
376 64 bits
377
378 Effective key size
379 56 bits
380
381 Salt size
382 12 bits
383
384 CPU time cost parameter
385 25
386
387 NT
388 The hashing method used for network authentication in some versions of
389 the SMB/CIFS protocol. Available, for cross-compatibility's sake, on
390 FreeBSD. Based on MD4. Has no salt or tunable cost parameter. Like
391 traditional DES, it is so weak that any passphrase hashed with this
392 method is guessable. It should only be used if you absolutely have to
393 generate hashes that will work on an old operating system that supports
394 nothing else.
395
396 Prefix
397 "$3$"
398
399 Hashed passphrase format
400 \$3\$\$[0-9a-f]{32}
401
402 Maximum passphrase length
403 unlimited
404
405 Hash size
406 256 bits
407
408 Salt size
409 0 bits
410
411 CPU time cost parameter
412 1
413
415 crypt(3), crypt_gensalt(3), getpwent(3), passwd(5), shadow(5), pam(8)
416
417 Niels Provos and David Mazieres, “A Future-Adaptable Password Scheme”,
418 Proceedings of the 1999 USENIX Annual Technical Conference,
419 https://www.usenix.org/events/usenix99/provos.html, June 1999.
420
421 Robert Morris and Ken Thompson, “Password Security: A Case History”,
422 Communications of the ACM, 11, 22,
423 http://wolfram.schneider.org/bsd/7thEdManVol2/password/password.pdf,
424 1979.
425
426Openwall Project October 11, 2017 Openwall Project