How to generate password hash for CouchDB administrator

Generate password hash for CouchDB administrator.

CouchDB is using PBKDF2 (Password-Based Key Derivation Function 2) hashing algorithm and stores hashed passwords using custom format

-pbkdf2-6bb90d1d03ec4fb62afc5ef8be2edb8eaad4320c,5ffa3ff6471d4cbda5e444e5e34b1c51,10

which translates to

-hash_algorithm-hashed-password,salt,number_of_iterations

Ad hoc solution

Use simple Python3 one-liner to generate password hash and display it using CouchDB specific format.

$ PASS="notsosecurepassword" SALT="5ffa3ff6471d4cbda5e444e5e34b1c51" ITER=10 \
  python3 -c "import os,hashlib; print('-pbkdf2-%s,%s,%s' % (hashlib.pbkdf2_hmac('sha1',os.environ['PASS'].encode(),os.environ['SALT'].encode(),int(os.environ['ITER'].encode())).hex(), os.environ['SALT'], os.environ['ITER']))"
-pbkdf2-6bb90d1d03ec4fb62afc5ef8be2edb8eaad4320c,5ffa3ff6471d4cbda5e444e5e34b1c51,10

Permanent solution

Use the following Python3 script to generate password hash for CouchDB administrators.

#!/usr/bin/env python3
# Generate password hash for CouchDB administrators

import argparse
import uuid
import hashlib

# define and parse command-line options
parser = argparse.ArgumentParser(description='Generate password hash for CouchDB administrators')
parser.add_argument('--password', required=True, help='Define password (required)')
parser.add_argument('--salt', default=uuid.uuid4().hex, help='Define salt (default: random)')
parser.add_argument('--iterations', type=int, default=10, help='Define number of iterations (default: %(default)s)')
parser.add_argument('--length', type=int, default=20, help='Define hash length (default: %(default)s)')
parser.add_argument('--verbose', action='store_true', help='Verbose mode (default: %(default)s)')
args = vars(parser.parse_args())

# generate password hash
password_hash = hashlib.pbkdf2_hmac('sha1', args["password"].encode(), args["salt"].encode(), args["iterations"], dklen=args["length"])

# generate CouchDB hash
couchdb_hash = "-pbkdf2-" + password_hash.hex() + "," + args["salt"] + "," + str(args["iterations"])

# display detailed information in verbose mode
if args["verbose"] is True:
    print("Password:", args["password"])
    print("Salt:", args["salt"])
    print("Iterations:", args["iterations"])
    print("Hash length:", args["length"])
    print("Hash:", password_hash.hex())

# display CouchDB hash
print("CouchDB hash:", couchdb_hash)

Display help information.

$ python couchdb_pbkdf2.py --help
usage: couchdb_pbkdf2.py [-h] --password PASSWORD [--salt SALT]
                         [--iterations ITERATIONS] [--length LENGTH]
                         [--verbose]

Generate password hash for CouchDB administrators

optional arguments:
  -h, --help            show this help message and exit
  --password PASSWORD   Define password (required)
  --salt SALT           Define salt (default: random)
  --iterations ITERATIONS
                        Define number of iterations (default: 10)
  --length LENGTH       Define hash length (default: 20)
  --verbose             Verbose mode (default: False)
Notice, Password hash is a hex-encoded string, so hash length of 20, will return 40 characters.

Generate password hash using provided salt.

$ python couchdb_pbkdf2.py --password notsosecurepassword  --salt 5ffa3ff6471d4cbda5e444e5e34b1c51
CouchDB hash: -pbkdf2-6bb90d1d03ec4fb62afc5ef8be2edb8eaad4320c,5ffa3ff6471d4cbda5e444e5e34b1c51,10

Generate password hash using random salt and display detailed information.

$ python couchdb_pbkdf2.py --password notsosecurepassword --verbose
Password: notsosecurepassword
Salt: 543376fa61d24691a9af7b2f547ee55e
Iterations: 10
Hash length: 20
Hash: d055e0baf1c4db04ca6571d369d39447821770dc
CouchDB hash: -pbkdf2-d055e0baf1c4db04ca6571d369d39447821770dc,543376fa61d24691a9af7b2f547ee55e,10

Additional notes

CouchDB Security

uuid — UUID objects according to RFC 4122

hashlib — Secure hashes and message digests