[rabbitmq-discuss] Password Hashing

Simon MacMullen simon at rabbitmq.com
Tue May 10 11:06:34 BST 2011

On 09/05/11 17:44, Denny, Peet (London)(c) wrote:
> Hi,
> The REST api documentation says that we can create users with a hashed
> password instead of one in clear text.
> An individual user. To PUT a user, you will need a body looking
> something like this:
> ... {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "administrator":true}
> This suggests that there is a hashing library somewhere for us to use to acheive this.
> Is that the case?

Hi Danny. My expectation in writing that documentation was that people 
would use a password hash from a user they'd already done a GET on, or 
set it to "" to lock the account. So there's no library apart from the 
server implementation, starting at 


However, the algorithm is quite simple if you want to implement it 
yourself. Here's a worked example:

Generate a random 32 bit salt:
CA D5 08 9B

Concatenate that with the UTF-8 representation of the password (in this 
case "simon"):
CA D5 08 9B 73 69 6D 6F 6E

Take the MD5 hash:
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12

Concatenate the salt again:
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12

And convert to base64 encoding:

Cheers, Simon

Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware

More information about the rabbitmq-discuss mailing list