https://github.com/smlx/hashy
CLI tool and Go library for inspection and manipulation of password hashes
https://github.com/smlx/hashy
Last synced: over 1 year ago
JSON representation
CLI tool and Go library for inspection and manipulation of password hashes
- Host: GitHub
- URL: https://github.com/smlx/hashy
- Owner: smlx
- License: apache-2.0
- Created: 2022-04-21T14:18:59.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2023-06-07T14:00:58.000Z (about 3 years ago)
- Last Synced: 2025-01-22T15:08:55.176Z (over 1 year ago)
- Language: Go
- Size: 108 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# hashy
[](https://github.com/smlx/hashy/actions/workflows/release.yaml)
[](https://coveralls.io/github/smlx/hashy?branch=main)
[](https://goreportcard.com/report/github.com/smlx/hashy)
## About
`hashy` is a CLI tool and Go library for inspection and manipulation of password hashes, such as you may find in `/etc/shadow` on Unix systems.
It may be useful to sysadmins or security researchers.
---
**WARNING**
Many of the password hash functions implemented in this module are known to be insecure or bad practice.
You probably should not use this module for hashing passwords in any modern application.
---
### Features
* Generate a password hash (similar to `mkpasswd`([code](https://github.com/rfc1036/whois), [manpage](https://manpages.debian.org/testing/whois/mkpasswd.1.en.html)))
* Identify the format of a password hash (similar to [`hash-identifier`](https://github.com/blackploit/hash-identifier))
* Check if a password matches a password hash
* Support a wide range of password hash functions (still a WIP, see the table below)
* Written in pure Go (no cgo)
### Design philosophy
`hashy` aims for simplicity and good documentation.
It does not aim for speed or to be useful for cracking password hashes; use [hashcat](https://github.com/hashcat/hashcat) for that.
### Supported password hash functions
Development work is currently targeting common Linux password hash functions.
If you are interested in a function not listed below please open an issue with documentation / implementation links.
| Supported | WIP |
| --- | --- |
| ✅ | ⏳ |
#### Unix crypt() functions
| | Supported | Best practice? |
| --- | --- | --- |
| bcrypt | ⏳ | - |
| md5crypt | ✅ | [No](https://web.archive.org/web/20190324130136/http://phk.freebsd.dk:80/sagas/md5crypt_eol.html), [CVE](https://nvd.nist.gov/vuln/detail/CVE-2012-3287) |
| scrypt | ⏳ | - |
| sha1crypt | ✅ | [No](https://manpages.debian.org/testing/libcrypt-dev/crypt.5.en.html#sha1crypt) |
| sha256crypt | ✅ | [No](https://manpages.debian.org/testing/libcrypt-dev/crypt.5.en.html#sha256crypt) |
| sha512crypt | ✅ | [No](https://manpages.debian.org/testing/libcrypt-dev/crypt.5.en.html#sha512crypt) |
| yescrypt | ⏳ | - |
#### Other software
| | Supported | Best practice? |
| --- | --- | --- |
| MariaDB/MySQL `OLD_PASSWORD()` | ✅ | [No](https://security.stackexchange.com/questions/3133/mysql-old-password-cryptanalysis), [CVE](https://nvd.nist.gov/vuln/detail/CVE-2003-1480) |
## Install and Use
Download the latest release binary for your platform, drop it into your `$PATH`, and run:
```
hashy --help
```
## Develop and Build
Clone the git repository locally and run:
```
make
```
## References / Prior art
These projects were referenced to understand the password hash functions implemented by `hashy`:
* [libxcrypt](https://github.com/besser82/libxcrypt)
* [musl crypt()](https://git.musl-libc.org/cgit/musl/tree/src/crypt)
* [unix-crypt](https://github.com/mogest/unix-crypt)
* [go-htpasswd](https://github.com/tg123/go-htpasswd)
In addition, [`hash-identifier`](https://github.com/blackploit/hash-identifier) inspired the `id` functionality.