Vlix
commented
2 years ago Started testing some other password libraries for formats they output. All hashes use testpass as the password. And only formats that differ are listed here (so you'll not see any bcrypt or argon2, since those have predefined hash formats)
I'll just add to this message if I find more later on.
Python's Passlib (1.7)
- PBKDF2-SHA1:
$pbkdf2$131000$OEdozRlDaK0VwjjnnLMWgg$ZgC1C6jh9E7871Qhs8GSjdYnynQ$pbkdf2$131000$0vo/B4DQeu9dC4EwhjCGMA$GftqjQLIzpJLATYxUN6dAwwOvRo
- PBKDF2-SHA256:
$pbkdf2-sha256$29000$8L43hnAOwXjvPYdwDuFcKw$KLfhBn9QTOeKPS.Cd5.velWFarD5KlIeC8mU5VIsiHo$pbkdf2-sha256$29000$O.fcW8s5J4RwTklJydnb.w$BydCvBqanO7uNLArDyI5CiV8vNNOvUfwExFdO9pfaFg
- PBKDF2-SHA512:
$pbkdf2-sha512$25000$0roXQmgNIURorRXC2JtTag$N4fUuwbjByCcvvTxqBvDkUeBhRE.qPLGt3c4kU1gtUaYaa4HDEWxea10HmfDGXYF1JIw2rxZOs62/aGbg9B46A$pbkdf2-sha512$25000$aa0VglAqRSjF.H.PsRYCQA$UcIpGgFn/sGyx4YwDegVsYXichWq2qBqM1wVGzToR03gXxyW1Sk1xqqpOvxv4jKEqVBFbxDDDne3ZzEONRa8Xw
For PBKDF2, Passlib seems to use the OpenBSD Base64 encoding (with ./0-9A-Za-z) and ignoring any trailing =s.
(Passlib calls this Hash64. See footnote: #1)
- scrypt:
$scrypt$ln=16,r=8,p=1$LkXIuRdCCOH8X8t5b+09xw$vc3bu8I8S/ZH9a1jcrOZDePEJMmPgvTv0r7vwzkrI5E$scrypt$ln=16,r=8,p=1$2ftf651TKsW4F0Lo/f//Pw$h5XAZ9E7BEZE0+FldIlnvmmVpSeBBky1PrWBGHF70Fc
For scrypt, Passlib takes the argon2 approach, using ln for the logN rounds, r for the memory work, and p for the parallellism.
Node scrypt
Github README Stackexchange explanation of the hash format
Example from the GitHub README (not self-generated):
- password1:
c2NyeXB0AAwAAAAIAAAAAcQ0zwp7QNLklxCn14vB75AYWDIrrT9I/7F9+lVGBfKN/1TH2hs /HboSy1ptzN0YzHJhC7PZIEPQzf2nuoaqVZg8VkKEJlo8/QaH7qjU2VwB - password2:
c2NyeXB0AAwAAAAIAAAAAZ/+bp8gWcTZgEC7YQZeLLyxFeKRRdDkwbaGeFC0NkdUr/YFAWY /UwdOH4i/PxW48fXeXBDOTvGWtS3lLUgzNM0PlJbXhMOGd2bke0PvTSnW
PHPs PHPass(Lib) (>= v2.1)
- PBKDF2-SHA1:
$pbkdf2$12000$wr5bVXZikOv0vk.fbiMHYg$Kyt4.y7dvyjV3.xwCXljLalhATE$pbkdf2$12000$O0L8/9wdVFxeUJ7XGmoJvg$q7l0aearqGqLT93F6c6pv7AtRzw
- PBKDF2-SHA256:
$pbkdf2-sha256$12000$usqXpNNWlm7nZBfJlFlw2A$12FSPQWbbjOPG/2EFxN13TLOWCDgcbBGrLAPI8cB7Ak$pbkdf2-sha256$12000$47JaVFbhUTIurpzxHPym5Q$u05U1q9iq0LyDvUPWOHygNUKTgSDP/nAEMPlrojSUus
- PBKDF2-SHA512:
$pbkdf2-sha512$12000$3ZH1pFJ1nnm4DL8vLnWHzg$vwU5XwLJuePlygsufn6IzL7DIcnahXJh3VxMefXGif8BTEmEOpkyj1RFsWenjHvaLGFr5amQ8iLB7de5mh0RVA$pbkdf2-sha512$12000$AmY7CaHljsAPeNKpiBA6hA$TlSI4G7OMQUIrWsKeisVM7TYoJJI4jgT.L9BD7XFmM.13NtxOb8HW3yULgyJo2CtGsjyvkux5N9fzzSuj4CaFQ
PHPass(Lib) seems to use the same format as Python's passlib. using the OpenBSD Base64 (Hash64) encoding (with ./0-9A-Za-z) and ignoring any trailing =s.
Weird output format, not sure if this is generally used anywhere.
writePwHash uses the same format we use in Data.Password.Scrypt (which I think we carried over from the scrypt library)
#1: Passlib's explanation of CharMaps (Base64, AltBase64, Hash64, Bcrypt64)
Seeing as some algorithms encode the password hashes in different ways, it might be a good idea to add functionality to dictate how the hash will be output (
hashPassword) and/or how it will be read (checkPassword).This will make the interoperability better between different programs/other languages, and thus make it easier for someone to switch to Haskell, or use Haskell to operate on already existing password hashes.
Here's a list of examples of different formats