As of 2012-6-7, this algorithm is “no longer considered safe” by its author , citing the increased speed of the MD5 hash on modern hardware, and MD5-Crypt’s lack of a variable time-cost parameter. See Passlib’s recommended hashes for a replacement.
This algorithm was developed for FreeBSD in 1994 by Poul-Henning Kamp, to replace the aging passlib.hash.des_crypt. It has since been adopted by a wide variety of other Unix flavors, and is found in many other contexts as well. Due to its origins, it’s sometimes referred to as “FreeBSD MD5 Crypt”. Security-wise it should now be considered weak, and most Unix flavors have since replaced it with stronger schemes (such as sha512_crypt and bcrypt).
This is also referred to on Cisco IOS systems as a “type 5” hash. The format and algorithm are identical, though Cisco seems to require 4 salt characters instead of the full 8 characters used by most systems .
The md5_crypt class can be can be used directly as follows:
>>> from passlib.hash import md5_crypt >>> # generate new salt, encrypt password >>> h = md5_crypt.encrypt("password") >>> h '$1$3azHgidD$SrJPt7B.9rekpmwJwtON31' >>> # verify the password >>> md5_crypt.verify("password", h) True >>> md5_crypt.verify("secret", h) False >>> # encrypt password using cisco-compatible 4-char salt >>> md5_crypt.encrypt("password", salt_size=4) '$1$wu98$9UuD3hvrwehnqyF1D548N0'
This class implements the MD5-Crypt password hash, and follows the Password Hash Interface.
It supports a variable-length salt.
This class will use the first available of two possible backends:
You can see which backend is in use by calling the get_backend() method.
An example md5-crypt hash (of the string password) is $1$5pZSV9va$azfrPr6af3Fc7dLblQXVa0.
An md5-crypt hash string has the format $1$salt$checksum, where:
The MD5-Crypt algorithm  calculates a checksum as follows:
A password string and salt string are provided.
(The salt should not include the magic prefix, it should match the string referred to as salt in the format section, above).
If needed, the salt should be truncated to a maximum of 8 characters.
Start MD5 digest A.
Add the password to digest A.
Add the constant string $1$ to digest A. (The Apache variant of MD5-Crypt uses $apr1$ instead, this is the only change made by this variant).
Add the salt to digest A.
For each block of 16 bytes in the password string, add digest B to digest A.
For the remaining N bytes of the password string, add the first N bytes of digest B to digest A.
For each bit in the binary representation of the length of the password string; starting with the lowest value bit, up to and including the largest-valued bit that is set to 1:
(If the password is the empty string, step 14 is omitted entirely).
Finish MD5 digest A.
MD5-Crypt has a couple of issues which have weakened severely:
Passlib’s implementation of md5-crypt differs from the reference implementation (and others) in two ways:
Restricted salt string character set:
The underlying algorithm can unambiguously handle salt strings which contain any possible byte value besides \x00 and $. However, Passlib strictly limits salts to the hash64 character set, as nearly all implementations of md5-crypt generate and expect salts containing those characters, but may have unexpected behaviors for other character values.
The underlying algorithm takes in a password specified as a series of non-null bytes, and does not specify what encoding should be used; though a us-ascii compatible encoding is implied by nearly all implementations of md5-crypt as well as all known reference hashes.
In order to provide support for unicode strings, Passlib will encode unicode passwords using utf-8 before running them through md5-crypt. If a different encoding is desired by an application, the password should be encoded before handing it to Passlib.
|||The authoritative reference for MD5-Crypt is Poul-Henning Kamp’s original FreeBSD implementation - http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2|
|||Security issues with MD5 - http://en.wikipedia.org/wiki/MD5#Security.|
|||Note about Cisco Type 5 salt size - http://serverfault.com/a/46399.|
|||Deprecation Announcement from Poul-Henning Kamp - http://phk.freebsd.dk/sagas/md5crypt_eol.html.|