@@ -72,6 +72,35 @@ algorithm as described in the hash, e.g, `{ARGON2}$argon2id$...` is
7272recognized and processed properly as ARGON2I/ARGON2ID (as long as
7373libsodium is recent enough to support it).
7474
75+ ### CRYPT
76+
77+ This is an umbrella term for all password schemes libc's ` crypt() ` can verify.
78+ On a current Linux system (2025) these are the following roughly in the order
79+ from strongest to weakest:
80+
81+ | Scheme | Prefix | Maximum passphrase length |
82+ | ---------------| ----------| ----------------------------------|
83+ | yescrypt | ` $y$ ` | unlimited |
84+ | gost-yescrypt | ` $gy$ ` | unlimited |
85+ | sm3-yescrypt | ` $sm3y$ ` | unlimited |
86+ | scrypt | ` $7$ ` | unlimited |
87+ | bcrypt | ` $2b$ ` | 72 characters |
88+ | sha512crypt | ` $6$ ` | unlimited |
89+ | sha256crypt | ` $5$ ` | unlimited |
90+ | sm3crypt | ` $sm3$ ` | unlimited |
91+ | sha1crypt | ` $sha1 ` | unlimited |
92+ | SunMD5 | ` $md5 ` | unlimited |
93+ | md5crypt | ` $1$ ` | unlimited |
94+ | bsdicrypt | ` _ ` | (ignores 8th bit) |
95+ | descrypt | | 8 characters (ignores 8th bit) |
96+ | bigcrypt | | 128 characters (ignores 8th bit) |
97+ | NT | ` $3$ ` | unlimited |
98+
99+ ::: warning
100+ On older Linux distros ` crypt() ` might not include all of the schemes in the list above.
101+ You can verify which ones are supported on your system by reading ` man 5 crypt `
102+ :::
103+
75104### BLF-CRYPT
76105
77106This is the Blowfish crypt (bcrypt) scheme. It is generally considered to
@@ -92,7 +121,9 @@ A strong scheme. The encrypted password will start with `$6$`.
92121
93122A strong scheme. The encrypted password will start with ` $5$ ` .
94123
95- ### MD5-CRYPT: A weak but common scheme often used in ` /etc/shadow ` . The
124+ ### MD5-CRYPT
125+
126+ A weak but common scheme often used in ` /etc/shadow ` . The
96127encrypted password will start with ` $1$ ` .
97128
98129## Generating Encrypted Passwords
@@ -165,16 +196,12 @@ Password is in cleartext.
165196
166197### CRYPT
167198
168- Traditional DES-crypted password in ` /etc/passwd ` (e.g.
169- "pass" = ` vpvKh.SaNbR6s ` .
199+ Password is encrypted.
170200
171- * Dovecot uses libc's ` crypt() ` function, which means that CRYPT is usually
172- able to recognize MD5-CRYPT and possibly also other password schemes. See
173- all of the ` *-CRYPT ` schemes at the top of this page.
201+ Dovecot uses libc's ` crypt() ` function, which means that it is able to recognize
202+ all password schemes available on your system (e.g. the ones used in ` /etc/passwd ` ).
174203
175- * The traditional DES-crypt scheme only uses the first 8 characters of the
176- password, the rest are ignored. Other schemes may have other password length
177- limitations (if they limit the password length at all).
204+ See [ CRYPT] ( #crypt ) above for a list.
178205
179206#### BLF-CRYPT
180207
@@ -184,6 +211,10 @@ Bcrypt based hash. (`$2y$`)
184211
185212Traditional DES based hash.
186213
214+ The DES-crypt scheme only uses the first 8 characters of the password, the rest
215+ is ignored. Other schemes may have other password length limitations (if they
216+ limit the password length at all).
217+
187218::: warning [[ changed,crypt_des_md5_schemes]]
188219Disabled by default.
189220:::
@@ -204,7 +235,7 @@ SHA-256 based hash (`$5$`)
204235
205236SHA-512 based hash (` $6$ ` )
206237
207- #### OTP
238+ ### OTP
208239
209240[[ rfc,2289]] based One-Time Password system.
210241
0 commit comments