summaryrefslogtreecommitdiff
path: root/docs/lib/passlib.hash.md5_crypt.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/lib/passlib.hash.md5_crypt.rst')
-rw-r--r--docs/lib/passlib.hash.md5_crypt.rst35
1 files changed, 16 insertions, 19 deletions
diff --git a/docs/lib/passlib.hash.md5_crypt.rst b/docs/lib/passlib.hash.md5_crypt.rst
index 4fb9db9..333a6e1 100644
--- a/docs/lib/passlib.hash.md5_crypt.rst
+++ b/docs/lib/passlib.hash.md5_crypt.rst
@@ -7,15 +7,13 @@
This algorithm was developed to replace the aging des-crypt crypt.
It is supported by a wide variety of unix flavors, and is found
-in other contexts as well.
-
-Security-wise, MD5-Crypt lacks newer features,
+in other contexts as well. Security-wise, MD5-Crypt lacks newer features,
such as a variable number of rounds. Futhermore, the MD5 message digest
algorithm which it's based around is considered broken,
though pre-image attacks are currently only theoretical.
Despite this, MD5-Crypt itself is not considered broken,
and is still considered ok to use, though new applications
-should use a strong scheme if feasible.
+should use a stronger scheme (eg :mod:`~passlib.hash.sha512_crypt`) if possible.
Usage
=====
@@ -33,21 +31,21 @@ Functions
Format
======
-This algorithm was created in parallel with
-the :ref:`modular-crypt-format`, and so it uses
-the identifier ``$1$`` for all of it's hashes.
-
-An md5-crypt hash string has length 26-34, with the format ``$1$<salt>$<checksum>``;
-where ``<salt>`` is 0-8 characters drawn from ``[0-9a-zA-Z./]``,
-and ``<checksum>`` is 22 characters drawn from the same set.
-
An example hash (of ``password``) is ``$1$5pZSV9va$azfrPr6af3Fc7dLblQXVa0``.
+An md5-crypt hash string has the format ``$1${salt}${checksum}``, where:
+
+* ``$1$`` is the prefix used to identify md5_crypt hashes,
+ following the :ref:`modular-crypt-format`
+* ``{salt}`` is 0-8 characters drawn from ``[./0-9A-Za-z]``,
+ providing a 48-bit salt (``5pZSV9va`` in the example).
+* ``{checksum}`` is 22 characters drawn from the same set,
+ encoding a 128-bit checksum (``azfrPr6af3Fc7dLblQXVa0`` in the example).
Algorithm
=========
The algorithm used by MD5-Crypt is convoluted,
and is best described by examining the BSD implementation
-linked to below.
+linked to below, or the source code to this module.
It uses the MD5 message digest algorithm to generate
various intermediate digests based on combinations
@@ -69,14 +67,13 @@ This implementation of md5-crypt differs from others in a few ways:
unix ``/etc/shadow`` files. Futhermore, most unix systems
will only generate salts using the standard 64 characters listed above.
This implementation follows along with that, by strictly limiting
- salt strings to the known-good set, until counter-examples are found.
+ salt strings to the least common denominator, ``[./0-9A-Za-z]``.
-* Unicode strings are encoded using UTF-8 before being passed into the algorithm.
+* Before generating a hash, PassLib encodes unicode passwords using UTF-8.
While the algorithm accepts passwords containing any 8-bit value
- except for ``\x00``, as of this writing, the authors
- know of no specification defining the official behavior that should be used
- for unicode strings.
+ except for ``\x00``, it specifies no preference for encodings,
+ or for handling unicode strings.
References
==========
-* `<http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2>` - primary reference used for information & implementation
+* `<http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2>`_ - primary reference used for information & implementation
View Lorry Controller Status