File: passlib.hash.mysql323.rst

package info (click to toggle)
python-passlib 1.7.4-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 3,920 kB
  • sloc: python: 23,094; makefile: 3
file content (65 lines) | stat: -rw-r--r-- 2,267 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
.. index:: MySQL; OLD_PASSWORD()

========================================================================
:class:`passlib.hash.mysql323` - MySQL 3.2.3 password hash
========================================================================

.. include:: ../_fragments/insecure_hash_warning.rst

.. currentmodule:: passlib.hash

This class implements the first of MySQL's password hash functions,
used to store its user account passwords. Introduced in MySQL 3.2.3
under the function ``PASSWORD()``, this function was renamed
to ``OLD_PASSWORD()`` under MySQL 4.1, when a newer password
hash algorithm was introduced (see :class:`~passlib.hash.mysql41`).
Users will most likely find the frontends provided by :mod:`passlib.apps`
to be more useful than accessing this class directly.
That aside, this class can be used as follows::

    >>> from passlib.hash import mysql323

    >>> # hash password
    >>> mysql323.hash("password")
    '5d2e19393cc5ef67'

    >>> # verify correct password
    >>> mysql323.verify("password", '5d2e19393cc5ef67')
    True
    >>> mysql323.verify("secret", '5d2e19393cc5ef67')
    False

.. seealso::

    * :ref:`password hash usage <password-hash-examples>` -- for more usage examples

    * :mod:`passlib.apps` -- for a list of predefined :ref:`mysql contexts <mysql-contexts>`.

Interface
=========
.. autoclass:: mysql323()

Format & Algorithm
==================
A mysql-323 password hash consists of 16 hexadecimal digits,
directly encoding the 64 bit checksum. MySQL always uses
lower-case letters, and so does Passlib
(though Passlib will recognize upper case letters as well).

The algorithm used is extremely simplistic, for details,
see the source implementation in the footnotes [#f1]_.

Security Issues
===============
Lacking any sort of salt, ignoring all whitespace,
and having a simplistic algorithm that amounts to little more than a checksum,
this is not secure, and should not be used for *any* purpose
but verifying existing MySQL 3.2.3 - 4.0 password hashes.

.. rubric:: Footnotes

.. [#f1] Source of implementation used by Passlib -
         `<http://djangosnippets.org/snippets/1508/>`_

.. [#f2] Mysql document describing transition -
         `<http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html>`_