MD5 Crypt — Passlib v1.7.4 Documentation (2024)

Danger

This algorithm is not considered secure by modern standards.It should only be used when verifying existing hashes,or when interacting with applications that require this format.For new code, see the list of recommended hashes.

See also

• password hash usage – for more usage examples
• apr_md5_crypt – Apache’s variant of this algorithm.

Interface¶

class passlib.hash.md5_crypt¶

This class implements the MD5-Crypt password hash, and follows the PasswordHash API.

It supports a variable-length salt.

The using() method accepts the following optional keywords:

Parameters:

salt (str) – Optional salt string.If not specified, one will be autogenerated (this is recommended).If specified, it must be 0-8 characters, drawn from the regexp range [./0-9A-Za-z]. salt_size (int) – Optional number of characters to use when autogenerating new salts.Defaults to 8, but can be any value between 0 and 8.(This is mainly needed when generating Cisco-compatible hashes,which require salt_size=4). relaxed (bool) – By default, providing an invalid value for one of the otherkeywords will result in a ValueError. If relaxed=True,and the error can be corrected, a PasslibHashWarningwill be issued instead. Correctable errors includesalt strings that are too long. New in version 1.6.

Format¶

An example md5-crypt hash (of the string password) is $1$5pZSV9va$azfrPr6af3Fc7dLblQXVa0.

An md5-crypt hash string has the format $1$salt$checksum, where:

• $1$ is the prefix used to identify md5-crypt hashes,following the Modular Crypt Format
• salt is 0-8 characters drawn from the regexp range [./0-9A-Za-z];providing a 48-bit salt (5pZSV9va in the example).
• checksum is 22 characters drawn from the same character set as the salt;encoding a 128-bit checksum (azfrPr6af3Fc7dLblQXVa0 in the example).

Algorithm¶

The MD5-Crypt algorithm [1] calculates a checksum as follows:

1. A password string and salt string are provided.

   (The salt should not include the magic prefix,it should match the string referred to as salt in the format section, above).

2. If needed, the salt should be truncated to a maximum of 8 characters.

3. Start MD5 digest B.
4. Add the password to digest B.
5. Add the salt to digest B.
6. Add the password to digest B.
7. Finish MD5 digest B.

8. Start MD5 digest A.

9. Add the password to digest A.

10. Add the constant string $1$ to digest A.(The Apache variant of MD5-Crypt uses $apr1$ instead,this is the only change made by this variant).

11. Add the salt to digest A.

12. For each block of 16 bytes in the password string,add digest B to digest A.

13. For the remaining N bytes of the password string,add the first N bytes of digest B to digest A.

14. For each bit in the binary representation of the lengthof the password string; starting with the lowest value bit,up to and including the largest-valued bit that is set to 1:

    1. If the current bit is set 1, add the first character of the password to digest A.
    2. Otherwise, add a NULL character to digest A.

    (If the password is the empty string, step 14 is omitted entirely).

15. Finish MD5 digest A.

16. For 1000 rounds (round values 0..999 inclusive),perform the following steps:
    1. Start MD5 Digest C for the round.
    2. If the round is odd, add the password to digest C.
    3. If the round is even, add the previous round’s result to digest C (for round 0, add digest A instead).
    4. If the round is not a multiple of 3, add the salt to digest C.
    5. If the round is not a multiple of 7, add the password to digest C.
    6. If the round is even, add the password to digest C.
    7. If the round is odd, add the previous round’s result to digest C (for round 0, add digest A instead).
    8. Use the final value of MD5 digest C as the result for this round.
17. Transpose the 16 bytes of the final round’s result in thefollowing order: 12,6,0,13,7,1,14,8,2,15,9,3,5,10,4,11.
18. Encode the resulting 16 byte string into a 22 characterhash64-encoded string(the 2 msb bits encoded by the last hash64 character are used as 0 padding).This results in the portion of the md5 crypt hash string referred to as checksum in the format section.

Security Issues¶

MD5-Crypt has a couple of issues which have weakened severely:

• It relies on the MD5 message digest, for which theoretical pre-image attacks exist [2].
• More seriously, its fixed number of rounds (combined with the availabilityof high-throughput MD5 implementations) means this algorithmis increasingly vulnerable to brute force attacks.It is this issue which has motivated its replacementby new algorithms such as bcryptand sha512_crypt.

Deviations¶

Passlib’s implementation of md5-crypt differs from the reference implementation (and others) in two ways:

• Restricted salt string character set:

  The underlying algorithm can unambiguously handle salt stringswhich contain any possible byte value besides \x00 and $.However, Passlib strictly limits salts to thehash64 character set,as nearly all implementations of md5-crypt generateand expect salts containing those characters,but may have unexpected behaviors for other character values.

• Unicode Policy:

  The underlying algorithm takes in a password specifiedas a series of non-null bytes, and does not specify what encodingshould be used; though a us-ascii compatible encodingis implied by nearly all implementations of md5-cryptas well as all known reference hashes.

  In order to provide support for unicode strings,Passlib will encode unicode passwords using utf-8before running them through md5-crypt. If a differentencoding is desired by an application, the password should be encodedbefore handing it to Passlib.

Footnotes