passlib.hash.apr_md5_crypt - Apache’s MD5-Crypt variant


This algorithm is not considered secure by modern standards. It should only be used when verifying existing hashes, or when interacting with applications that require this format. For new code, see the list of recommended hashes.

This hash is a variation of md5_crypt, primarily used by the Apache webserver in htpasswd files. It contains only minor changes to the MD5-Crypt algorithm, and should be considered just as weak as MD5-Crypt itself.

See also


class passlib.hash.apr_md5_crypt

This class implements the Apr-MD5-Crypt password hash, and follows the PasswordHash API.

It supports a variable-length salt.

The using() method accepts the following optional keywords:

  • salt (str) – Optional salt string. If not specified, one will be autogenerated (this is recommended). If specified, it must be 0-8 characters, drawn from the regexp range [./0-9A-Za-z].
  • relaxed (bool) –

    By default, providing an invalid value for one of the other keywords will result in a ValueError. If relaxed=True, and the error can be corrected, a PasslibHashWarning will be issued instead. Correctable errors include salt strings that are too long.

    New in version 1.6.

Format & Algorithm

This format and algorithm of Apache’s MD5-Crypt is identical to the original MD5-Crypt, except for two changes:

  1. The encoded string uses $apr1$ as its prefix, while md5-crypt uses $1$.
  2. The algorithm uses $apr1$ as a constant in the step where md5-crypt uses $1$ in its calculation of digest B (see the md5-crypt algorithm). Because of this change, even raw checksums generated by apr-md5-crypt and md5-crypt are not compatible with each other.

See md5_crypt for the format & algorithm descriptions, as well as security notes.


[1]Apache’s description of Apr-MD5-Crypt -