Password Hashing Schemes — Passlib v1.7.4 Documentation (original) (raw)

Overview

The passlib.hash module contains all the password hash algorithms built into Passlib. While each hash has its own options and output format, they all inherit from the PasswordHash base interface. The following pages describe each hash in detail, including its format, underlying algorithm, and known security issues.

Danger

Many of the hash algorithms listed below are *NOT* secure.

Passlib supports a wide array of hash algorithms, primarily to support legacy data and systems. If you want to choose a secure algorithm for a new application, see the Quickstart Guide.

Unix Hashes

Aside from “archaic” schemes such as des_crypt, most of the password hashes supported by modern Unix flavors adhere to the modular crypt format, allowing them to be easily distinguished when used within the same file. Variants of this format’s basic $_scheme_$_salt_$_digest_ structure have also been adopted for use by other applications and password hash schemes.

Other “Modular Crypt” Hashes

The modular crypt format is a loose standard for password hash strings which started life under the Unix operating system, and is used by many of the Unix hashes (above). However, it’s it’s basic $_scheme_$_hash_ format has also been adopted by a number of application-specific hash algorithms:

LDAP / RFC2307 Hashes

All of the following hashes use a variant of the password hash format used by LDAPv2. Originally specified in RFC 2307 and used by OpenLDAP [1], the basic format {SCHEME}HASH has seen widespread adoption in a number of programs.

Cisco Hashes

Cisco IOS

The following hashes are used in various places on Cisco IOS, and are usually referred to by a Cisco-assigned “type” code:

Cisco PIX & ASA

Separately from this, Cisco PIX & ASA firewalls have their own hash formats, generally identified by the “format” parameter in the username _user_ password _hash_ _format_ config line they occur in. The following are known & handled by passlib: