passlib.hash.unix_disabled - Unix Disabled Account Helper

This class does not provide an encryption scheme, but instead provides a helper for handling disabled password fields as found in unix /etc/shadow files. This class is mainly useful only for plugging into a CryptContext instance. It can be used directly as follows:

>>> from passlib.hash import unix_disabled

>>> # 'hashing' a password always results in "!" or "*"
>>> unix_disabled.hash("password")

>>> # verifying will fail for all passwords and hashes
>>> unix_disabled.verify("password", "!")
>>> unix_disabled.verify("letmein", "*NOPASSWORD*")

>>> # this class should identify all strings which aren't
>>> # valid Unix crypt() output, while leaving MCF hashes alone
>>> unix_disabled.identify('!')
>>> unix_disabled.identify('')
>>> unix_disabled.identify("$1$somehash")


class passlib.hash.unix_disabled

This class provides disabled password behavior for unix shadow files, and follows the PasswordHash API.

This class does not implement a hash, but instead matches the “disabled account” strings found in /etc/shadow on most Unix variants. “encrypting” a password will simply return the disabled account marker. It will reject all passwords, no matter the hash string. The hash() method supports one optional keyword:

Parameters:marker (str) –

Optional marker string which overrides the platform default used to indicate a disabled account.

If not specified, this will default to "*" on BSD systems, and use the Linux default "!" for all other platforms. (unix_disabled.default_marker will contain the default value)

New in version 1.6: This class was added as a replacement for the now-deprecated unix_fallback class, which had some undesirable features.

Deprecated Interface

class passlib.hash.unix_fallback

This class provides the fallback behavior for unix shadow files, and follows the PasswordHash API.

This class does not implement a hash, but instead provides fallback behavior as found in /etc/shadow on most unix variants. If used, should be the last scheme in the context.

  • this class will positively identify all hash strings.
  • for security, passwords will always hash to !.
  • it rejects all passwords if the hash is NOT an empty string (! or * are frequently used).
  • by default it rejects all passwords if the hash is an empty string, but if enable_wildcard=True is passed to verify(), all passwords will be allowed through if the hash is an empty string.

Deprecated since version 1.6: This has been deprecated due to its “wildcard” feature, and will be removed in Passlib 1.8. Use unix_disabled instead.


According to the Linux shadow man page, an empty string is treated as a wildcard by Linux, allowing all passwords. For security purposes, this behavior is NOT supported; empty strings are treated the same as ! or *.