-1

I'm generating SHA-512 encoded password keys with Python's Passlib's command.

python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"

This is per Ansible documentation: http://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module).

It prompts for a password, which I input. And then it returns the key.

Regardless of the password I input, all keys created begin with $6$rounds=...

What does this mean? Is this part of the key?

tim_xyz
  • 11,573
  • 17
  • 52
  • 97

1 Answers1

3

This indicates to the schema for the used algorithm. In the case of sha512_crypt 6 indicates sha512 and rounds=x indicate the number of rounds to compute the hash.

Also current NIST standards suggest pbkdf2_sha256 for password hashing.

Jakob Bowyer
  • 33,878
  • 8
  • 76
  • 91
  • Should the round be included in the string when using the key? – tim_xyz Oct 06 '16 at 20:50
  • @tim_zyx The 'Format' section of passlib's [sha256_crypt manpage](http://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html#format-algorithm) describes the full format of the hash string. sha512_crypt has the same format, just with $6$ and a longer digest. – Eli Collins Nov 11 '16 at 15:15