passlib.hash.mysql323 - MySQL 3.2.3 password hash

Danger

This algorithm is not considered secure by modern standards. It should only be used when verifying existing hashes, or when interacting with applications that require this format. For new code, see the list of recommended hashes.

This class implements the first of MySQL’s password hash functions, used to store its user account passwords. Introduced in MySQL 3.2.3 under the function PASSWORD(), this function was renamed to OLD_PASSWORD() under MySQL 4.1, when a newer password hash algorithm was introduced (see mysql41). Users will most likely find the frontends provided by passlib.apps to be more useful than accessing this class directly. That aside, this class can be used as follows:

>>> from passlib.hash import mysql323

>>> # hash password
>>> mysql323.hash("password")
'5d2e19393cc5ef67'

>>> # verify correct password
>>> mysql323.verify("password", '5d2e19393cc5ef67')
True
>>> mysql323.verify("secret", '5d2e19393cc5ef67')
False

See also

Interface

class passlib.hash.mysql323

This class implements the MySQL 3.2.3 password hash, and follows the PasswordHash API.

It has no salt and a single fixed round.

The hash() and genconfig() methods accept no optional keywords.

Format & Algorithm

A mysql-323 password hash consists of 16 hexadecimal digits, directly encoding the 64 bit checksum. MySQL always uses lower-case letters, and so does Passlib (though Passlib will recognize upper case letters as well).

The algorithm used is extremely simplistic, for details, see the source implementation in the footnotes [1].

Security Issues

Lacking any sort of salt, ignoring all whitespace, and having a simplistic algorithm that amounts to little more than a checksum, this is not secure, and should not be used for any purpose but verifying existing MySQL 3.2.3 - 4.0 password hashes.

Footnotes

[1]Source of implementation used by Passlib - http://djangosnippets.org/snippets/1508/
[2]Mysql document describing transition - http://dev.mysql.com/doc/refman/4.1/en/password-hashing.html