docs/lib/passlib.hash.mysql323.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

.. index:: mysql; OLD_PASSWORD()

========================================================================
:class:`passlib.hash.mysql323` - MySQL 3.2.3 password hash
========================================================================

.. currentmodule:: passlib.hash


This class implements the first of MySQL's password hash functions,
used to store it's user account passwords. Introduced in MySQL 3.2.3
under the function ``PASSWORD()``, this function was renamed
to ``OLD_PASSWORD()`` under MySQL 4.1, when a newer password
hash algorithm was introduced (see :class:`~passlib.hash.mysql41`).

.. warning::

    This algorithm is extremely weak, and should not be used
    for any purposes besides manipulating existing Mysql 3.2.3-4.0
    password hashes.

.. seealso::

    :mod:`!passlib.apps` for a list of predefined :ref:`mysql contexts <mysql-contexts>`.

Usage
=====
Users will most likely find the frontends provided by :mod:`passlib.apps`
to be more useful than accessing this class directly.
That aside, this class can be used as follows::

    >>> from passlib.hash import mysql323 as mold

    >>> mold.encrypt("password") #encrypt password
    '5d2e19393cc5ef67'

    >>> mold.identify('5d2e19393cc5ef67') #check if hash is recognized
    True
    >>> mold.identify('$1$3azHgidD$SrJPt7B.9rekpmwJwtON31') #check if another type of hash is recognized
    False

    >>> mold.verify("password", '5d2e19393cc5ef67') #verify correct password
    True
    >>> mold.verify("secret", '5d2e19393cc5ef67') #verify incorrect password
    False

Interface
=========
.. autoclass:: mysql323()

Format & Algorithm
==================
A mysql-323 password hash consists of 16 hexidecimal digits,
directly encoding the 64 bit checksum. MySQL always uses
lower-case letters, and so does PassLib
(though PassLib will recognize upper case letters as well).

The algorithm used is extremely simplistic, for details,
see the source implementation in the footnotes [#f1]_.

Security Issues
===============
Lacking any sort of salt, ignoring all whitespace,
and having a simplistic algorithm that amounts to little more than a checksum,
this is not secure, and should not be used for *any* purpose
but verifying existing MySQL 3.2.3 - 4.0 password hashes.

.. rubric:: Footnotes

.. [#f1] Source of implementation used by passlib -
         `<http://djangosnippets.org/snippets/1508/>`_

.. [#f2] Mysql document describing transition -
         `<http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html>`_