Generating password hashes
- Generating unix-style MD5 hash: openssl passwd -1 -salt QIGCa pippo
- produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
- generating password hash using system’s native crypt() command: perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
- Using Python’s Passlib library (http://packages.python.org/passlib/):
- Install Python (e.g. in Cygwin)
- Install Passlib library following instructions at http://packages.python.org/passlib/install.html
- start Python: python
- Calculate the SHA256 hash of the word Password:
>>> from passlib.hash import sha256_crypt
>>> hash = sha256_crypt.encrypt("password")
>>> hash
'$5$rounds=80000$9GPMLb8EE.1QFrUk$Y0XQiZRKMhOrB2GcfCeWREG.x3jCfa5pbmxSO/hjCE3'
>>> sha256_crypt.encrypt("password")
'$5$rounds=80000$9fjOxTQNeyPhsCvp$XmyKju3TfWUEPXGPXMZ6sIPcv26Uok7NLPyZhx5g7R9'
>>> sha256_crypt.encrypt("password", rounds=12345)
'$5$rounds=12345$Kk9DTJPMRyxGFB3q$7tdzdJXq4YRu7ms6PGo7zTlOHVwYOQO1aUeUsZ3Mrl5'
>>> sha256_crypt.verify("password", hash)
True
>>> sha256_crypt.verify("letmeinplz", hash)
False
- Generating BouncyCastle SHA1-512 hashes for use in Atlassian JIRA:
>>> from passlib.hash import atlassian_pbkdf2_sha1
>>> atlassian_pbkdf2_sha1.encrypt("password")
'{PKCS5S2}fU8ppRTCuJeS8n7PGYOQMhVqZ4hUidTIiWI4K8R8IBOXm/lYywaouSLtvlTeTr3V'
>>> atlassian_pbkdf2_sha1.encrypt("password")
'{PKCS5S2}+X+PMcYYAwBAKIWwFsJY639EipU1NXJfc1jKC5VYHZV7zoDI4zTEpKO4xZQoegg1'
>>> atlassian_pbkdf2_sha1.encrypt("password")
'{PKCS5S2}1Nq7N2YM4ZyTstZaSynlnGGh2rgAG+b7SB+9xreszUhrE39BnfwNg2RGm6tqvDg2'
>>> atlassian_pbkdf2_sha1.encrypt("password")
'{PKCS5S2}bu1dK0WotXYuBaB0bo2RslxMAp4JawLofUFw4S5fZdAtfsm3Ats6kO6j5NaHZCdt'
>>> atlassian_pbkdf2_sha1.encrypt("password")
'{PKCS5S2}z/mfc47xvjcm5Ny7dw7BeExB68Oc4XiTJvUS5HRAadKr4/Aomn1WOMMrMWtikUPK'
- Supported hashing algorithms:
- Archaic Unix Schemes:
- passlib.hash.des_crypt – DES Crypt
- passlib.hash.bsdi_crypt – BSDi Crypt
- passlib.hash.bigcrypt – BigCrypt
- passlib.hash.crypt16 – Crypt16
- Standard Unix Schemes:
- passlib.hash.md5_crypt – MD5 Crypt
- passlib.hash.bcrypt – BCrypt
- passlib.hash.sha1_crypt – SHA-1 Crypt
- passlib.hash.sun_md5_crypt – Sun MD5 Crypt
- passlib.hash.sha256_crypt – SHA-256 Crypt
- passlib.hash.sha512_crypt – SHA-512 Crypt
- Other Modular Crypt Schemes:
- passlib.hash.apr_md5_crypt – Apache’s MD5-Crypt variant
- passlib.hash.phpass – PHPass’ Portable Hash
- passlib.hash.pbkdf2_digest – Generic PBKDF2 Hashes
- passlib.hash.cta_pbkdf2_sha1 – Cryptacular’s PBKDF2 hash
- passlib.hash.dlitz_pbkdf2_sha1 – Dwayne Litzenberger’s PBKDF2 hash
- passlib.hash.scram – SCRAM Hash
- passlib.hash.bsd_nthash – FreeBSD’s MCF-compatible nthash encoding
- passlib.hash.unix_disabled – Unix Disabled Account Helper
- Standard LDAP (RFC2307) Schemes:
- passlib.hash.ldap_md5 – MD5 digest
- passlib.hash.ldap_sha1 – SHA1 digest
- passlib.hash.ldap_salted_md5 – salted MD5 digest
- passlib.hash.ldap_salted_sha1 – salted SHA1 digest
- passlib.hash.ldap_crypt – LDAP crypt() Wrappers
- passlib.hash.ldap_plaintext – LDAP-Aware Plaintext Handler
- Non-Standard LDAP Schemes:
- passlib.hash.ldap_hex_md5 – Hex-encoded MD5 Digest
- passlib.hash.ldap_hex_sha1 – Hex-encoded SHA1 Digest
- passlib.hash.ldap_pbkdf2_digest – Generic PBKDF2 Hashes
- passlib.hash.atlassian_pbkdf2_sha1 – Atlassian’s PBKDF2-based Hash
- passlib.hash.fshp – Fairly Secure Hashed Password
- passlib.hash.roundup_plaintext – Roundup-specific LDAP Plaintext Handler
- SQL Database Hashes:
- passlib.hash.mssql2000 – MS SQL 2000 password hash
- passlib.hash.mssql2005 – MS SQL 2005 password hash
- passlib.hash.mysql323 – MySQL 3.2.3 password hash
- passlib.hash.mysql41 – MySQL 4.1 password hash
- passlib.hash.postgres_md5 – PostgreSQL MD5 password hash
- passlib.hash.oracle10 – Oracle 10g password hash
- passlib.hash.oracle11 – Oracle 11g password hash
- MS Windows Hashes:
- passlib.hash.lmhash – LanManager Hash
- passlib.hash.nthash – Windows’ NT-HASH
- passlib.hash.msdcc – Windows’ Domain Cached Credentials
- passlib.hash.msdcc2 – Windows’ Domain Cached Credentials v2
- Other Hashes:
- passlib.hash.cisco_pix – Cisco PIX hash
- passlib.hash.cisco_type7 – Cisco “Type 7” hash
- passlib.hash.django_digest – Django-specific Hashes
- passlib.hash.grub_pbkdf2_sha512 – Grub’s PBKDF2 Hash
- passlib.hash.hex_digest – Generic Hexdecimal Digests
- passlib.hash.plaintext – Plaintext
- Cisco “Type 5” hashes
Passphrase Hashes
- Passphrase Hashes – http://www.users.zetnet.co.uk/hopwood/crypto/scan/ph.html
- Authenticators (= magic strings = marker strings): When a passphrase is verified, the first few characters of the authenticator [= “magic”] determine which mechanism is used:
- If the first character is not “$” or “_”, the traditional crypt3 is used. 2 chars salt. Only the first 8 chars of the passwords are used.
- “$1$”: MD5-crypt is used. [Linux, BSD]. Salt up to 8 chars long.
- “$2$”: Blowfish is used. [Linux] – OBSOLETE
- “$2a$”, bcrypt is used. NOTE: Some sources indicate use of Blowfish (OpenBSD) or eksblowfish.
- “$2x$” or “$2y$”, Blowfish is used.
- “$3$”, NT-hashman [FreeBSD] or depecated/broken SHA-256
- “$4$”, depecated/broken SHA-512
- “$5$”, SHA-256 [Linux]. Salt up to 16 chars long.
- “$6$”, SHA-512 [Linux]. Salt up to 16 chars long.
- Unknown: “$9$”, “$9a$”, $15abc$, $apr1$
- “$md5$”: Sun MD5
Sources:
Articles
Passwords related postings at this blog: