How to create SHA512 password hashes on command line

In Linux I can create a SHA1 password hash using sha1pass mypassword. Is there a similar command line tool which lets me create sha512 hashes? Same question for Bcrypt and PBKDF2.

Asked By: student

||

Yes, you’re looking for mkpasswd, which (at least on Debian) is part of the whois package. Don’t ask why…

anthony@Zia:~$ mkpasswd -m help
Available methods:
des     standard 56 bit DES-based crypt(3)
md5     MD5
sha-256 SHA-256
sha-512 SHA-512

Unfortunately, my version at least doesn’t do bcrypt. If your C library does, it should (and the manpage gives a -R option to set the strength). -R also works on sha-512, but I’m not sure if its PBKDF-2 or not.

If you need to generate bcrypt passwords, you can do it fairly simply with the Crypt::Eksblowfish::Bcrypt Perl module.

Answered By: derobert

You can use sha512sum:

echo "password" | sha512sum
Answered By: Vinayak

On any of the Red Hat distros such as Fedora, CentOS, or RHEL the command mkpasswd doesn’t include the same set of switches as the version typically included with Debian/Ubuntu.

NOTE: The command mkpasswd is actually part of the expect package, and should probably be avoided. You can find out what package it belongs to with either of these commands.

$ yum whatprovides "*/mkpasswd"
-or-
$ repoquery -q --file */mkpasswd

Example

$ repoquery -q --file */mkpasswd
expect-0:5.43.0-8.el5.x86_64
expect-0:5.43.0-8.el5.i386

Both of these methods are superior to using rpm since the packages do not have to be installed to locate */mkpasswd.

Workarounds

To work around this you can use the following Python or Perl one-liners to generate SHA-512 passwords. Take note that these are salted:

Python (>= 3.3)

$ python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'

-or scripted-

$ python -c 'import crypt; print(crypt.crypt("somesecret", crypt.mksalt(crypt.METHOD_SHA512)))'

Python (2.x or 3.x)

$ python -c "import crypt, getpass, pwd; 
             print(crypt.crypt('password', '$6$saltsalt$'))"

$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/

Note: $6$ designates sha512. Support for this method of specifying the algorithm is dependent on support in OS level crypt(3) library function (usually in libcrypt). It is not dependent on python version.

Perl

$ perl -e 'print crypt("password","$6$saltsalt$") . "n"'
$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/

In these examples the password is the string “password” and the salt is “saltsalt”. Both examples are using $6$ which denotes that you want crypt to use SHA-512.

Answered By: slm

Run this command:

$ /sbin/grub-crypt --sha-512

then enter the word you want hashed.

Answered By: ucemike

To expand on @slm’s workarounds above, if you’re worried about someone getting a hold of your bash history and seeing the plain text password, you can insert raw_input() in the python statement where the salt and password fields go so it prompts you for them. The text isn’t masked while you’re typing, but it won’t show up in your bash history. You could also start the command with a leading space, but I always forget to do that.

python -c "import crypt, getpass, pwd; print crypt.crypt(raw_input(), '$6$' + raw_input() + '$')"
Answered By: user208145

You can use the doveadm utility, which is included in the dovecot package.

doveadm pw -s SHA512-CRYPT

Result example:

{SHA512-CRYPT}$6$0JvQ1LLFESzA16.I$JVdKAIq0igudTq06BMqzT9rL1gRawMPwLr9U3/kBMKUqZdONfa0wubC89C35LKl3aE16CRH57BfGb4ygPLggL1

Just cut {SHA512-CRYPT} and you’ll get your SHA512 hashed string.

Answered By: obohovyk

If your using the Python (>= 2.7) method from sim’s answer and want to confirm your password before it generates – because you fat finger passwords…

$ python -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw), crypt.mksalt(crypt.METHOD_SHA512) if (pw==getpass.getpass("Confirm: ")) else exit())'
Answered By: levi

sha512 htpasswd

Command which asks for user and password and generates a regular htpasswd-file:

python -c 'import crypt,getpass; print(getpass.getpass("Name: ")+":"+crypt.crypt(getpass.getpass(),crypt.mksalt(crypt.METHOD_SHA512)))' >> htpasswd

Works with all python versions > 2.5.

Answered By: MadMike

openssl version “OpenSSL 1.1.1” on Linux and
openssl version “LibreSSL 2.6.5” on MacOS support md5_crypt.

Just run and enter password:

openssl passwd -crypt
Password:
Verifying - Password:
<results_into_a_md5_crypt_password>

or provide the plain text password directly to the CLI:

openssl password -crypt <plain_text_password_goes_here>
<results_into_a_md5_crypt_password>
Answered By: TMT

OpenSSL has

openssl passwd -6

Help says:

$ openssl passwd --help
Usage: passwd [options]
Valid options are:
...
 -6                  SHA512-based password algorithm

For consistent output you can specify the salt:

openssl passwd -6 -salt <YOUR_SALT>

Output is something similar to:

$6$YOUR_SALT$q/oDR4twC1ik4RoxTJJtX.3MjenHVapkMaBbq2NcRHGQjqhIWRNcEVitYZhyIx98D7lF7qs0vLTq17X0nEr8I.

with: 6 between “$” indicating the algorithm (“-6” above), followed by YOUR_SALT and “$”, finishing with the SHA512 sum.

Answered By: Markus Linnala

PBKDF2

I wrote a simple application in Go that allows to generate PBKDF2 hash, as OpenSSL does not provide a commandline tool for that.
It supports sha1, sha256, sha512 and md5.

You can build it yourself, or download released binaries in “release” section.

https://github.com/riotkit-org/gpbkdf2

The usage is very simple:

gpbkdf2 --passphrase=my-secret-passphrase --salt=my-secret-salt --digest-algorithm=sha512 --digest-rounds=10000 --length=128
Answered By: Krzysztofa Krzysztof

I did the same thing with NodeJs before:

 echo "console.log(require('crypto').createHmac('sha512', 'nonbase64key').update('password').digest('hex'))" | node

it’s equivalent in python is:

python3 -c 'import hashlib;import base64;import hmac;print(hmac.new(b"nonbase64key", "password".encode(), hashlib.sha512).hexdigest())'

And the equivalent shell command is:

echo -n "password" | openssl sha512 -hmac "nonbase64key"
Answered By: Jeff Tian

All examples will be using SHA-512, <password> as password placeholder and <salt> as salt placeholder.

mkpasswd

Note: mkpasswd binary is installed via the package whois on Debian / Ubuntu only. On other Linux distribution such as ArchLinux, Fedora, CentOS, openSUSE, etc. mkpasswd is provided by the expect package but is an totally different utility which is available as expect_mkpasswd on Debian / Ubuntu. whois of all other Linux distro doesn’t include mkpasswd but the source (C lang) can be found on the original repository https://github.com/rfc1036/whois.

# With a random password and random salt
mkpasswd -m sha-512
# With a random random salt
mkpasswd -m sha-512 '<password>'
# Choosing both password and salt
mkpasswd -m sha-512 '<password>' '<salt>'
# Read password from stdin to avoid leaking it in shell command history
mkpasswd -m sha-512 --stdin

OpenSSL

# With a random random salt
openssl passwd -6 '<password>'
# Choosing both password and salt
openssl passwd -6 --salt '<salt>' '<password>'
# Read password from stdin to avoid leaking it in shell command history
openssl passwd -6 -stdin
openssl passwd -6

Ruby

# With a random password and random salt
ruby -e 'require "securerandom"; puts SecureRandom.alphanumeric(20).crypt("$6$" + rand(36 ** 8).to_s(36))'
# With a random random salt
ruby -e 'puts "<password>".crypt("$6$" + rand(36 ** 8).to_s(36))'
# Choosing both password and salt
ruby -e 'puts "<password>".crypt("$6$<salt>")'
# Read password from stdin to avoid leaking it in shell command history
ruby -e 'require "io/console"; puts IO::console.getpass.crypt("$6$" + rand(36 ** 8).to_s(36))'

Note: for those who complains that Random#rand is a PRNG, you can use the secure SecureRandom#rand but it’s not very important is rand is used only to generate the salt which is publicly available in the hash at the end.

ruby -e 'require "securerandom"; puts "<password>".crypt("$6$" + SecureRandom.rand(36 ** 8).to_s(36))'

Perl

# Choosing both password and salt
perl -le 'print crypt "<password>", "$6$<salt>$"'

Python

Requires Python >= 3.3

# With a random random salt
python -c 'import crypt; print(crypt.crypt("<password>", crypt.mksalt(crypt.METHOD_SHA512)))'
# Choosing both password and salt
python -c 'import crypt; print(crypt.crypt("<password>", "$6$<salt>"))'
# Read password from stdin to avoid leaking it in shell command history
python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))

grub-crypt

Note: The grub package doesn’t include grub-crypt in many distros.

# With a random random salt
# Read password from stdin to avoid leaking it in shell command history
grub-crypt --sha-512
Answered By: noraj