blob: 883f44e19557bbb2f7e46ddaeb66f9ee3945a04a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
.. index:: Apache; md5 password hash
======================================================================
:class:`passlib.hash.apr_md5_crypt` - Apache's MD5-Crypt variant
======================================================================
.. warning::
As of 2012-6-7, the MD5-Crypt algorithm is "no longer considered safe"
by it's author, who urges migration to newer hash algorithms.
.. currentmodule:: passlib.hash
This hash is a variation of :class:`~passlib.hash.md5_crypt`,
primarily used by the Apache webserver in ``htpasswd`` files.
It contains only minor changes to the MD5-Crypt algorithm,
and should be considered just as weak as MD5-Crypt itself.
.. seealso::
* :ref:`password hash usage <password-hash-examples>` --
for examples of how to use this class via the common hash interface.
* :mod:`passlib.apache` -- routines for manipulating ``htpasswd`` files.
Interface
=========
.. autoclass:: apr_md5_crypt()
Format & Algorithm
==================
This format and algorithm of Apache's MD5-Crypt is identical
to the original MD5-Crypt, except for two changes:
1. The encoded string uses ``$apr1$`` as it's prefix, while md5-crypt uses ``$1$``.
2. The algorithm uses ``$apr1$`` as a constant in the step where md5-crypt uses
``$1$`` in it's calculation of digest B (see the :ref:`md5-crypt algorithm <md5-crypt-algorithm>`).
Because of this change, even raw checksums generated by apr-md5-crypt and md5-crypt
are not compatible with eachother.
See :doc:`md5_crypt <passlib.hash.md5_crypt>` for the format & algorithm
descriptions, as well as security notes.
.. rubric:: Footnotes
.. [#] Apache's description of Apr-MD5-Crypt -
`<http://httpd.apache.org/docs/2.2/misc/password_encryptions.html>`_
|
