File: passlib.hash.mssql2005.rst

package info (click to toggle)
python-passlib 1.7.4-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 3,920 kB
  • sloc: python: 23,094; makefile: 3
file content (83 lines) | stat: -rw-r--r-- 2,798 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
==================================================================
:class:`passlib.hash.mssql2005` - MS SQL 2005 password hash
==================================================================

.. include:: ../_fragments/insecure_hash_warning.rst

.. versionadded:: 1.6

.. currentmodule:: passlib.hash

This class implements the hash algorithm used by Microsoft SQL Server 2005
to store its user account passwords, replacing the slightly less secure
:class:`~passlib.hash.mssql2000` variant.
This class can be used directly as follows::

    >>> from passlib.hash import mssql2005 as m25

    >>> # hash password
    >>> h = m25.hash("password")
    >>> h
    '0x01006ACDF9FF5D2E211B392EEF1175EFFE13B3A368CE2F94038B'

    >>> # verify password
    >>> m25.verify("password", h)
    True
    >>> m25.verify("letmein", h)
    False

.. seealso::

    * :ref:`password hash usage <password-hash-examples>` -- for more usage examples

    * :doc:`mssql2000 <passlib.hash.mssql2000>` -- the predecessor to this hash.

Interface
=========
.. autoclass:: mssql2005()

.. rst-class:: html-toggle

Format & Algorithm
==================
MSSQL 2005 hashes are usually presented as a series of 52 upper-case
hexadecimal characters, prefixed by ``0x``. An example MSSQL 2005 hash
(of ``"password"``)::

    0x01006ACDF9FF5D2E211B392EEF1175EFFE13B3A368CE2F94038B

This encodes 26 bytes of raw data, consisting of:

* a 2-byte constant ``0100``
* 4 byte of salt (``6ACDF9FF`` in the example)
* 20 byte digest (``5D2E211B392EEF1175EFFE13B3A368CE2F94038B``
  in the example).

The digest is generated by encoding the unicode password using
``UTF-16-LE``, and calculating ``SHA1(encoded_secret + salt)``.

This format and algorithm is identical to :doc:`mssql2000 <passlib.hash.mssql2000>`,
except that this hash omits the 2nd case-insensitive
digest used by MSSQL 2000.

.. note::

    MSSQL 2005 hashes do not actually have a native textual format, as they
    are stored as raw bytes in an SQL table. However, when external programs
    deal with them, MSSQL generally encodes raw bytes as upper-case hexadecimal,
    prefixed with ``0x``. This is the representation Passlib uses.

Security Issues
===============
This algorithm is reasonably weak, and shouldn't be used for any
purpose besides manipulating existing MSSQL 2005 hashes. This mainly due to
its simplicity, and years of research on high-speed SHA1
implementations, which makes efficient brute force attacks feasible.

.. rubric:: Footnotes

.. [#] Overview hash algorithms used by MSSQL -
   `<https://blogs.msdn.com/b/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx?Redirected=true>`_.

.. [#] Description of MSSQL 2000/2005 algorithm -
   `<http://www.theregister.co.uk/2002/07/08/cracking_ms_sql_server_passwords/>`_.