File: passlib.hash.nthash.rst

package info (click to toggle)
python-passlib 1.9.3-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 3,184 kB
  • sloc: python: 26,132; makefile: 7
file content (77 lines) | stat: -rw-r--r-- 2,609 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
.. index:: Windows; NT hash

==================================================================
:class:`passlib.hash.nthash` - Windows' NT-HASH
==================================================================

.. include:: ../_fragments/trivial_hash_warning.rst

.. versionadded:: 1.6

.. currentmodule:: passlib.hash

This class implements the NT-HASH algorithm, used by Microsoft Windows NT
and successors to store user account passwords, supplanting
the much weaker :doc:`lmhash <passlib.hash.lmhash>` algorithm.
This class can be used directly as follows::

    >>> from passlib.hash import nthash

    >>> # hash password
    >>> h = nthash.hash("password")
    >>> h
    '8846f7eaee8fb117ad06bdd830b7586c'

    >>> # verify password
    >>> nthash.verify("password", h)
    True
    >>> nthash.verify("secret", h)
    False

.. seealso:: the generic :ref:`PasswordHash usage examples <password-hash-examples>`

Interface
=========
.. autoclass:: nthash()

Format & Algorithm
==================
A nthash consists of 32 hexadecimal digits, which encode the digest.
An example hash (of ``password``) is ``8846f7eaee8fb117ad06bdd830b7586c``.

The digest is calculated by encoding the secret using ``UTF-16-LE``,
taking the MD4 digest, and then encoding
that as hexadecimal.

FreeBSD Variant
===============
For cross-compatibility, FreeBSD's :func:`!crypt` supports storing
NTHASH digests in a manner compatible with the :ref:`modular-crypt-format`,
to enable administrators to store user passwords in a manner compatible with
the SMB/CIFS protocol. This is accomplished by assigning NTHASH digests the
identifier ``$3$``, and prepending the identifier to the normal (lowercase)
NTHASH digest. An example digest (of ``password``) is
``$3$$8846f7eaee8fb117ad06bdd830b7586c`` (note the doubled ``$$``).

.. data:: bsd_nthash

    This object supports FreeBSD's representation of NTHASH
    (which is compatible with the :ref:`modular-crypt-format`),
    and follows the :ref:`password-hash-api`.

    It has no salt and a single fixed round.

    The :meth:`~passlib.ifc.PasswordHash.hash` and :meth:`~passlib.ifc.PasswordHash.genconfig` methods accept no optional keywords.

    .. versionchanged:: 1.6
        This hash was named ``nthash`` under previous releases of Passlib.

Security Issues
===============
This algorithm should be considered *completely* broken:

* It has no salt.
* The MD4 message digest has been severely compromised by collision and
  preimage attacks.
* Brute-force and pre-computed attacks exist targeting MD4 hashes in general,
  and the encoding used by NTHASH in particular.