passlib.hash.sha512_crypt - SHA-512 Crypt

Defined by the same specification as sha256_crypt, SHA512-Crypt is identical to SHA256-Crypt in almost every way, including design and security issues. The only difference is the doubled digest size; while this provides some increase in security, it’s also a bit slower 32 bit operating systems.

See also

  • password hash usage – for examples of how to use this class via the common hash interface.
  • sha256_crypt – the companion 256-bit version of this hash.


class passlib.hash.sha512_crypt

This class implements the SHA512-Crypt password hash, and follows the PasswordHash API.

It supports a variable-length salt, and a variable number of rounds.

The using() method accepts the following optional keywords:

  • salt (str) – Optional salt string. If not specified, one will be autogenerated (this is recommended). If specified, it must be 0-16 characters, drawn from the regexp range [./0-9A-Za-z].
  • rounds (int) – Optional number of rounds to use. Defaults to 656000, must be between 1000 and 999999999, inclusive.
  • implicit_rounds (bool) –

    this is an internal option which generally doesn’t need to be touched.

    this flag determines whether the hash should omit the rounds parameter when encoding it to a string; this is only permitted by the spec for rounds=5000, and the flag is ignored otherwise. the spec requires the two different encodings be preserved as they are, instead of normalizing them.

  • relaxed (bool) –

    By default, providing an invalid value for one of the other keywords will result in a ValueError. If relaxed=True, and the error can be corrected, a PasslibHashWarning will be issued instead. Correctable errors include rounds that are too small or too large, and salt strings that are too long.

    New in version 1.6.


This class will use the first available of two possible backends:

  • stdlib crypt(), if the host OS supports SHA512-Crypt (most Linux systems).
  • a pure python implementation of SHA512-Crypt built into passlib.

You can see which backend is in use by calling the get_backend() method.

Format & Algorithm

SHA512-Crypt is defined by the same specification as SHA256-Crypt. The format and algorithm are exactly the same, except for the following notable differences:

  • it uses the modular crypt prefix $6$, whereas SHA256-Crypt uses $5$.
  • it uses the SHA-512 message digest in place of the SHA-256 message digest.
  • its output hash is correspondingly larger in size, with an 86-character encoded checksum, instead of 43 characters.

See sha256_crypt for the format and algorithm descriptions, as well as security notes.