Your Linux Data Center Experts

I've recently been implementing a set of Python routines for generating strong password hashes. The easy one, that's been around forever but isn't really that strong includes only 2 characters of salt. There are several stronger formats that include up to 16 characters of salt, and allow for longer passwords than 8 characters. This format is called Modular Crypt Format, but searching for documentation on the web does not produce much useful information.

Hopefully this post will help others who run into similar problems. This is what I've been able to find out about Modular Crypt Format.

Read on for details of this format.

The Modular Crypt Format is specified based on the encoding of the salt, which is then passed to the C library function “crypt(3)” (or the Python standard library method “crypt.crypt()”.

In all cases the salt consists of characters made up of upper and lower case letters, digits, and dot and slash. In other words, “[./a-zA-Z0-9]”. A prefix of “$$” is used to specify the Modular Crypt Format being used. No “$” prefix indicates a legacy 2-character salted password.

Here are the different options:

MethodPrefixSalt LengthExample

Legacy
(None)
2
tK

MD5
$1$
8
$1$Q6/P0YQT

SHA-256
$5$
16
$5$QEDek12fCb8Hw.6U

SHA-512
$6$
16
$6$uz5ODdP3.XT5kF5V

There are also “2” and “2a” Blowfish-based formats, which seem to vary in implementation (for example, neither is supported in the glibc mainline).

It appears that Dragon Fly BSD supports a method 2 which is SHA256, method 3 of SHA512, and method 4 of Blowfish, all of which have 8 bytes of salt. However, I just came upon that information and don't have a Dragon Fly or other BSD system to verify.

Beyond Modular Crypt Format, there is also an “Extended Format” which begins with an underscore. I haven't researched this at all.

comments powered by Disqus

Join our other satisfied clients. Contact us today.