Defined by the same specification as sha256_crypt,
SHA512-Crypt is identical to SHA256-Crypt in almost every way, including
design and security issues. The only difference is the doubled digest size;
while this provides some increase in security, it’s also a bit slower 32 bit operating systems.
This class implements the SHA512-Crypt password hash, and follows the Password Hash Interface.
It supports a variable-length salt, and a variable number of rounds.
The encrypt() and genconfig() methods accept the following optional keywords:
- salt (str) – Optional salt string.
If not specified, one will be autogenerated (this is recommended).
If specified, it must be 0-16 characters, drawn from the regexp range [./0-9A-Za-z].
- rounds (int) – Optional number of rounds to use.
Defaults to 60000, must be between 1000 and 999999999, inclusive.
- implicit_rounds (bool) –
this is an internal option which generally doesn’t need to be touched.
this flag determines whether the hash should omit the rounds parameter
when encoding it to a string; this is only permitted by the spec for rounds=5000,
and the flag is ignored otherwise. the spec requires the two different
encodings be preserved as they are, instead of normalizing them.
- relaxed (bool) –
By default, providing an invalid value for one of the other
keywords will result in a ValueError. If relaxed=True,
and the error can be corrected, a PasslibHashWarning
will be issued instead. Correctable errors include rounds
that are too small or too large, and salt strings that are too long.
New in version 1.6.
This class will use the first available of two possible backends:
- stdlib crypt(), if the host OS supports SHA512-Crypt (most Linux systems).
- a pure python implementation of SHA512-Crypt built into passlib.
You can see which backend is in use by calling the get_backend() method.
Format & Algorithm
SHA512-Crypt is defined by the same specification as SHA256-Crypt.
The format and algorithm are exactly the same, except for
the following notable differences:
- it uses the modular crypt prefix $6$, whereas SHA256-Crypt uses $5$.
- it uses the SHA-512 message digest in place of the SHA-256 message digest.
- it’s output hash is correspondingly larger in size,
with an 86-character encoded checksum, instead of 43 characters.
for the format and algorithm descriptions,
as well as security notes.