Generate password hash for CouchDB administrator.
CouchDB is using PBKDF2 (Password-Based Key Derivation Function 2) hashing algorithm and stores hashed passwords using a custom format
-pbkdf2-6bb90d1d03ec4fb62afc5ef8be2edb8eaad4320c,5ffa3ff6471d4cbda5e444e5e34b1c51,10
which translates to
-hash_algorithm-hashed-password,salt,number_of_iterations
Ad hoc solution
Use simple Python3 one-liner to generate password hash and display it using CouchDB specific format.
$ PASS="notsosecurepassword" SALT="5ffa3ff6471d4cbda5e444e5e34b1c51" ITER=10 \
python3 -c "import os,hashlib; print('-pbkdf2-%s,%s,%s' % (hashlib.pbkdf2_hmac('sha1',os.environ['PASS'].encode(),os.environ['SALT'].encode(),int(os.environ['ITER'].encode())).hex(), os.environ['SALT'], os.environ['ITER']))"
-pbkdf2-6bb90d1d03ec4fb62afc5ef8be2edb8eaad4320c,5ffa3ff6471d4cbda5e444e5e34b1c51,10
Permanent solution
Use the following Python3 script to generate a password hash for CouchDB administrators.
#!/usr/bin/env python3
# Generate password hash for CouchDB administrators
import argparse
import uuid
import hashlib
# define and parse command-line options
parser = argparse.ArgumentParser(description='Generate password hash for CouchDB administrators')
parser.add_argument('--password', required=True, help='Define password (required)')
parser.add_argument('--salt', default=uuid.uuid4().hex, help='Define salt (default: random)')
parser.add_argument('--iterations', type=int, default=10, help='Define number of iterations (default: %(default)s)')
parser.add_argument('--length', type=int, default=20, help='Define hash length (default: %(default)s)')
parser.add_argument('--verbose', action='store_true', help='Verbose mode (default: %(default)s)')
args = vars(parser.parse_args())
# generate password hash
password_hash = hashlib.pbkdf2_hmac('sha1', args["password"].encode(), args["salt"].encode(), args["iterations"], dklen=args["length"])
# generate CouchDB hash
couchdb_hash = "-pbkdf2-" + password_hash.hex() + "," + args["salt"] + "," + str(args["iterations"])
# display detailed information in verbose mode
if args["verbose"] is True:
print("Password:", args["password"])
print("Salt:", args["salt"])
print("Iterations:", args["iterations"])
print("Hash length:", args["length"])
print("Hash:", password_hash.hex())
# display CouchDB hash
print("CouchDB hash:", couchdb_hash)Display help information.
$ python couchdb_pbkdf2.py --help
usage: couchdb_pbkdf2.py [-h] --password PASSWORD [--salt SALT]
[--iterations ITERATIONS] [--length LENGTH]
[--verbose]
Generate password hash for CouchDB administrators
optional arguments:
-h, --help show this help message and exit
--password PASSWORD Define password (required)
--salt SALT Define salt (default: random)
--iterations ITERATIONS
Define number of iterations (default: 10)
--length LENGTH Define hash length (default: 20)
--verbose Verbose mode (default: False)Notice, the password hash is a hex-encoded string, so a hash length of 20 will return 40 characters.
Generate password hash using the provided salt.
$ python couchdb_pbkdf2.py --password notsosecurepassword --salt 5ffa3ff6471d4cbda5e444e5e34b1c51
CouchDB hash: -pbkdf2-6bb90d1d03ec4fb62afc5ef8be2edb8eaad4320c,5ffa3ff6471d4cbda5e444e5e34b1c51,10
Generate password hash using random salt and display detailed information.
$ python couchdb_pbkdf2.py --password notsosecurepassword --verbose
Password: notsosecurepassword Salt: 543376fa61d24691a9af7b2f547ee55e Iterations: 10 Hash length: 20 Hash: d055e0baf1c4db04ca6571d369d39447821770dc CouchDB hash: -pbkdf2-d055e0baf1c4db04ca6571d369d39447821770dc,543376fa61d24691a9af7b2f547ee55e,10