One-way string hashing for salted passwords using the Unix crypt format.

This package implements the SHA-256 crypt hash as specified by "Unix crypt using SHA-256 and SHA-512" (version: 0.4 2008-04-03).

Crypt format strings

It can produce crypt formatted string like:




Where the leading "$5$" indicates this is a SHA-256 crypt, and is followed a number of fields separated by the dollar sign: a optional the number of rounds, the salt and the hash value. When SHA-256 is being used, the default number of rounds is 5000 (as defined by the specification).

Note: different systems use the crypt formatted string differently. For example, as the value of the userPassword attribute in an LDAP posixAccount entry, "{crypt}" needs to be prepended to it.


import 'package:crypt/crypt.dart';

main() {
  var c1 = new Crypt.sha256("p@ssw0rd"); // default rounds, random salt
  var c2 = new Crypt.sha256("p@ssw0rd", rounds: 10000); // random salt
  var c3 = new Crypt.sha256("p@ssw0rd", salt: "abcdefghijklmnop");//default rounds
  var c4 = new Crypt.sha256("p@ssw0rd", rounds: 10000, salt:"abcdefghijklmnop");


  var suppliedValue = "p@ssw0rd";
  if (c1.match(suppliedValue)) {
    print("Correct value match");
  } else {
    print("Error: unexpected non-match: $suppliedValue");

  suppliedValue = "123456";
  if (c1.match(suppliedValue)) {
    print("Error: unexpected match: $suppliedValue");
  } else {
    print("Incorrect value does not match");

The above example produced this output:

Correct value match
Incorrect value does not match

Create a crypt from a value using the sha256 constructor, or by parsing a crypt formatted string using the default constructor.

Obtain the crypt formatted string by using the toString method.

Test if a value's hash matches using the match method.

Features and bugs

Currently only SHA-256 crypt hashes are supported. This package uses the crypto package for the cryptographic algorithms, which does not yet support DES or SHA-512. So those types of crypt hashes are not supported.

Salt generation does not use a cryptographically secure random number generator. If this is a concern, pass in a randomly generated salt value that you want to use.

Please file feature requests and bugs at the GitHub issue tracker.


One-way string hashing for salted passwords using the Unix crypt format.