Provided by: libcrypt2-dev_4.1.1-1_amd64 bug

NAME

       crypt - storage format for hashed passphrases and available hashing methods

DESCRIPTION

       The  hashing methods implemented by crypt(3) are designed only to process user passphrases
       for storage  and  authentication;  they  are  not  suitable  for  use  as  general-purpose
       cryptographic hashes.

       Passphrase hashing is not a replacement for strong passphrases.  It is always possible for
       an attacker with access to the hashed passphrases to guess and  check  possible  cleartext
       passphrases.   However,  with  a  strong hashing method, guessing will be too slow for the
       attacker to discover a strong passphrase.

       All of the hashing methods use a “salt” to perturb the hash function,  so  that  the  same
       passphrase  may  produce  many possible hashes.  Newer methods accept longer salt strings.
       The salt should be chosen at random for each user.  Salt defeats a number of attacks:

       1.     It is not possible to hash  a  passphrase  once  and  then  test  it  against  each
              account's stored hash; the hash calculation must be repeated for each account.

       2.     Tables  of precalculated hashes of commonly used passphrases must have an entry for
              each possible salt, which makes them impractically large.

       3.     It is not possible to tell whether two accounts use  the  same  passphrase  without
              successfully guessing one of the phrases.

       All  of  the  hashing  methods  are also deliberately engineered to be slow; they use many
       iterations of an underlying cryptographic primitive to increase the cost  of  each  guess.
       The  newer  hashing  methods allow the number of iterations to be adjusted, using the “CPU
       time cost” parameter to crypt_gensalt(3).  This makes it possible to keep the hash slow as
       hardware improves.

FORMAT OF HASHED PASSPHRASES

       All  of  the  hashing  methods  supported  by  libcrypt  produce a hashed passphrase which
       consists of four components: prefix, options, salt, and hash.  The prefix  controls  which
       hashing  method  is  to be used, and is the appropriate string to pass to crypt_gensalt to
       select that method.  The contents of options,  salt,  and  hash  are  up  to  the  method.
       Depending on the method, the prefix and options components may be empty.

       The setting argument to crypt must begin with the first three components of a valid hashed
       passphrase, but anything after that is ignored.  This makes  authentication  simple:  hash
       the  input  passphrase  using  the  stored passphrase as the setting, and then compare the
       result to the stored passphrase.

       Hashed passphrases are always entirely printable ASCII, and do not contain any  whitespace
       or  the  characters  ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’.  (These characters are used as delimiters
       and special markers in the passwd(5) and shadow(5) files.)

       The syntax of each component of a hashed passphrase is up  to  the  hashing  method.   ‘$’
       characters  usually  delimit  components,  and  the  salt  and hash are usually encoded as
       numerals in base 64.  However, the details of the  base-64  encoding  vary  among  hashing
       methods and are usually not compatible with the common “base64” encoding.

AVAILABLE HASHING METHODS

       This  is  a  list of all the hashing methods supported by libcrypt, in decreasing order of
       strength.  Many of the  older  methods  are  now  considered  too  weak  to  use  for  new
       passphrases.  The encoded passphrase format is expressed with extended regular expressions
       (see regex(7)) and does not show the division into prefix, options, salt, and hash.

   bcrypt
       A hash based on the Blowfish  block  cipher,  modified  to  have  an  extra-expensive  key
       schedule.   Originally  developed  by Niels Provos and David Mazieres for OpenBSD and also
       supported on recent versions of FreeBSD and NetBSD,  on  Solaris  10  and  newer,  and  on
       several GNU/*/Linux distributions.  Recommended for new password hashes.

       prefix "$2b$"

       Encoded passphrase format
              \$2[abxy]\$[0-9]{2}\$[./A-Za-z0-9]{53}

       Maximum password length
              72 characters

       Hash size
              184 bits

       Salt size
              128 bits

       CPU time cost parameter
              4 to 31 (logarithmic)

       The  alternative  prefix "$2y$" is equivalent to "$2b$".  It exists for historical reasons
       only.   The  alternative  prefixes  "$2a$"  and  "$2x$"  provide  bug-compatibility   with
       crypt_blowfish  1.0.4 and earlier, which incorrectly processed characters with the 8th bit
       set.

   SHA-2-512
       A hash based on SHA-2 with 512-bit output, originally developed by Ulrich Drepper for  GNU
       libc.   Supported  on Linux but not common elsewhere.  Acceptable for new password hashes.
       The default CPU time cost parameter is 5000, which is too low for modern hardware.

       prefix "$6$"

       Encoded passphrase format
              \$6\$(rounds=[1-9][0-9]+\$)?[./0-9A-Za-z]{1,16}\$[./0-9A-Za-z]{86}

       Maximum password length
              unlimited

       Hash size
              512 bits

       Salt size
              6 to 96 bits

       CPU time cost parameter
              1000 to 999,999,999

   SHA-2-256
       A hash based on SHA-2 with 256-bit output, originally developed by Ulrich Drepper for  GNU
       libc.   Supported  on Linux but not common elsewhere.  Acceptable for new password hashes.
       The default CPU time cost parameter is 5000, which is too low for modern hardware.

       prefix "$5$"

       Encoded passphrase format
              \$5\$(rounds=[1-9][0-9]+\$)?[./0-9A-Za-z]{1,16}\$[./0-9A-Za-z]{43}

       Maximum password length
              unlimited

       Hash size
              256 bits

       Salt size
              6 to 96 bits

       CPU time cost parameter
              1000 to 999,999,999

   SHA-1
       A hash based on HMAC-SHA1.  Originally developed by Simon Gerraty for NetBSD.  Not as weak
       as  the DES-based hashes below, but SHA1 is so cheap on modern hardware that it should not
       be used for new hashes.

       prefix "$sha1"

       Encoded passphrase format
              \$sha1\$[1-9][0-9]+\$[./0-9A-Za-z]{1,64}\$[./0-9A-Za-z]{8,64}[./0-9A-Za-z]{32}

       Maximum password length
              unlimited

       Hash size
              160 bits

       Salt size
              6 to 384 bits

       CPU time cost parameter
              1 to 4,294,967,295

   MD5 (Sun)
       A hash based on the MD5 algorithm,  with  additional  cleverness  to  make  precomputation
       difficult,  originally developed by Alec David Muffet for Solaris.  Not adopted elsewhere,
       to our knowledge.  Not as weak as the DES-based hashes below,  but  MD5  is  so  cheap  on
       modern hardware that it should not be used for new hashes.

       prefix "$md5"

       Encoded passphrase format
              \$md5(,rounds=[1-9][0-9]+)?\$[./0-9A-Za-z]{8}\${1,2}[./0-9A-Za-z]{22}

       Maximum password length
              unlimited

       Hash size
              128 bits

       Salt size
              48 bits

       CPU time cost parameter
              4096 to 4,294,963,199

   MD5 (FreeBSD)
       A  hash based on the MD5 algorithm, originally developed by Poul-Henning Kamp for FreeBSD.
       Supported on most free Unixes and newer versions of Solaris.  Not as weak as the DES-based
       hashes  below,  but  MD5 is so cheap on modern hardware that it should not be used for new
       hashes.  CPU time cost is not adjustable.

       prefix "$1$"

       Encoded passphrase format
              \$1\$[^$]{1,8}\$[./0-9A-Za-z]{22}

       Maximum password length
              unlimited

       Hash size
              128 bits

       Salt size
              6 to 48 bits

       CPU time cost parameter
              1000

   BSDI extended DES
       A weak extension of traditional DES, which eliminates the length limit, increases the salt
       size,  and  makes the time cost tunable.  It originates with BSDI and is also available on
       at least NetBSD, OpenBSD, and FreeBSD due to the use of David  Burren's  FreeSec  library.
       It  is  better  than  bigcrypt  and  traditional DES, but still should not be used for new
       hashes.

       prefix "_"

       Encoded passphrase format
              _[./0-9A-Za-z]{19}

       Maximum password length
              unlimited (ignores 8th bit)

       Hash size
              64 bits (effectively 56)

       Salt size
              24 bits

       CPU time cost parameter
              1 to 16,777,215 (must be odd)

   bigcrypt
       A weak extension of traditional DES, available on some System V-derived  Unixes.   All  it
       does  is  raise the length limit from 8 to 128 characters, and it does this in a crude way
       that allows attackers to guess chunks of a long passphrase in parallel.  It should not  be
       used for new hashes.

       prefix "" (empty string)

       Encoded passphrase format
              [./0-9A-Za-z]{13,178}

       Maximum password length
              128 characters (ignores 8th bit)

       Hash size
              up to 1024 bits (effectively up to 896)

       Salt size
              12 bits

       CPU time cost parameter
              25

   Traditional DES-based
       The  original  hashing method from Unix V7, based on the DES block cipher.  Because DES is
       cheap on modern hardware, because there are only 4096 possible salts  and  2**56  possible
       hashes,  and  because it truncates passphrases to 8 characters, it is feasible to discover
       any passphrase hashed with this method.  It should only be used if you absolutely have  to
       generate hashes that will work on an old operating system that supports nothing else.

       prefix "" (empty string)

       Encoded passphrase format
              [./0-9A-Za-z]{13}

       Maximum password length
              8 characters (ignores 8th bit)

       Hash size
              64 bits (effectively 56)

       Salt size
              12 bits

       CPU time cost parameter
              25

   NTHASH
       The  hashing  method  used  for  network  authentication  in some versions of the SMB/CIFS
       protocol.  Available, for cross-compatibility's sake, on FreeBSD.  Based on MD4.   Has  no
       salt  or  tunable cost parameter.  Like traditional DES, it is so weak that any passphrase
       hashed with this method is guessable.  It should only be used if you  absolutely  have  to
       generate hashes that will work on an old operating system that supports nothing else.

       prefix "$3$"

       Encoded passphrase format
              \$3\$\$[0-9a-f]{32}

       Maximum password length
              unlimited

       Hash size
              256 bits

       Salt size
              0 bits

       CPU time cost parameter
              1

SEE ALSO

       crypt(3), crypt_rn(3), crypt_gensalt(3), getpwent(3), passwd(5), shadow(5), pam(8)

       Niels  Provos and David Mazieres.  A Future-Adaptable Password Scheme.  Proceedings of the
       1999 USENIX Annual Technical Conference, June 1999.
       https://www.usenix.org/events/usenix99/provos.html

       Robert Morris and Ken Thompson.  Password Security: A Case History.  Communications of the
       ACM, Volume 22, Issue 11, 1979.
       http://wolfram.schneider.org/bsd/7thEdManVol2/password/password.pdf